Listen to this Post
While investigating a storage alert on a production Rocky Linux 9 server, a massive accumulation of log files (20+ GB in /var/log/messages) was discovered. The issue stemmed from a misconfigured `iptables` rule logging every dropped incoming connection, flooding the system with unnecessary logs.
You Should Know:
1. Check Log File Sizes
Monitor log directories to prevent disk exhaustion:
du -sh /var/log/ df -h /var
2. Clear Old Logs Safely
Use `logrotate` or manually truncate logs:
sudo truncate -s 0 /var/log/messages sudo journalctl --vacuum-size=100M
3. Optimize `iptables` Logging
Avoid logging every dropped packet. Instead, use rate-limiting:
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
4. Block Malicious IPs
Identify and block top offenders:
grep "IPTables-Dropped" /var/log/messages | awk '{print $NF}' | sort | uniq -c | sort -nr | head -n 10
sudo iptables -A INPUT -s <malicious_IP> -j DROP
5. Enable `fail2ban` for Automated Protection
Install and configure `fail2ban` to block brute-force attempts:
sudo dnf install fail2ban sudo systemctl enable --now fail2ban
Edit `/etc/fail2ban/jail.local` to customize bans.
6. Limit Systemd Journal Size
Prevent uncontrolled log growth:
sudo nano /etc/systemd/journald.conf
Set:
SystemMaxUse=100M RuntimeMaxUse=50M
Then restart:
sudo systemctl restart systemd-journald
- Switch to `nftables` (Modern Alternative to
iptables)
Migrate for better performance:
sudo dnf install nftables sudo systemctl enable --now nftables sudo iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT
8. Monitor Logs in Real-Time
Use `tail` or `journalctl` for live tracking:
sudo tail -f /var/log/messages sudo journalctl -f
9. Automate Log Rotation
Configure `/etc/logrotate.conf` to manage log files:
/var/log/messages {
rotate 7
daily
compress
missingok
notifempty
}
10. Audit Firewall Rules Regularly
List and review `iptables`/`nftables` rules:
sudo iptables -L -n -v sudo nft list ruleset
What Undercode Say
Logging is essential but must be controlled. Misconfigured firewall rules can lead to disk exhaustion, performance degradation, and even service outages. Always:
– Rate-limit logs to prevent flooding.
– Automate IP blocking with fail2ban.
– Monitor `/var/log` for abnormal growth.
– Use modern tools like `nftables` for efficiency.
– Set log size limits in journald.conf.
Security requires balance—excessive logging can be as harmful as insufficient logging.
Expected Output:
A well-hardened Linux server with optimized logging, automated threat response, and minimal disk I/O overhead.
Relevant URLs:
References:
Reported By: Ranas Mukminov – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
