Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd March 2012, 11:19
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,258
Thanks: 76
Thanked 23 Times in 19 Posts
Default need some help configuring fwlogwatch

the project is located here: http://fwlogwatch.inside-security.de/

and I installed the Debian version via apt-get. The firewall logs are written by apf-firewall.

After checking out every option in its config file this is a sample report I am getting but I really only want a summary but I can't seem to get it right. I.e. look at the first entries, they look identical. I'd love to get those summarized.

I can post my config file here if needed.

Code:
fwlogwatch summary

Generated Friday March 23 10:13:28 CET 2012 by root. 
1775 (and 137 older than 86400 seconds) of 39649 entries in 2 input files are packet logs, 1775 have unique characteristics. 
First packet log entry: Mar 22 10:18:14, last: Jan 01 01:00:00. 

All entries were logged by the same host: "h1870666". 
All entries have the same target: "-". 
Only the top 50 entries are shown.
#	chain	interface	proto	source	hostname	destination	hostname	port	service	opts
1	[81018.503995] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81021.536094] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81047.626337] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81050.660093] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81134.093213] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81137.124093] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81524.648020] ** IN_TCP DROP **	eth0	tcp	74.118.195.188	tibiaredbot.com.br	85.214.229.212	h1870666.stratoserver.net	8752	-	sa----
1	[81895.986463] ** IDENT **	eth0	tcp	196.41.124.211	cpanel.cybersmart.co.za	85.214.229.212	h1870666.stratoserver.net	113	auth	SYN
1	[82011.656911] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[82014.688094] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[82213.123923] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[82216.156096] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
Reply With Quote
Sponsored Links
  #2  
Old 23rd March 2012, 11:30
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,258
Thanks: 76
Thanked 23 Times in 19 Posts
 
Default

one step ahead right now, managed a little bit of summarization but not quite there. have a look. Why wouldn't the first two and the second two lines be combined?


Quote:
fwlogwatch summary

Generated Friday March 23 11:27:55 CET 2012 by root.
2286 (and 196 older than 86400 seconds) of 42358 entries in 2 input files are packet logs, 2272 have unique characteristics.
First packet log entry: Mar 22 11:31:00, last: Mar 23 09:06:46.

All entries were logged by the same host: "h1870666".
All entries have the same target: "-".
Only the top 50 entries are shown.
# chain interface source hostname destination hostname
3 [122722.930349] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
3 [136088.195078] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
3 [152954.629189] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net
2 [90808.046695] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net
2 [93661.021160] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
2 [100365.631003] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
2 [101198.482939] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net
Reply With Quote
Reply

Bookmarks

Tags
firewall, fwlogwatch, iptables

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu 11.10, ISPConfig 3.0.4.1 needs some nginx.conf tweaks after following guide. talkingnews Installation/Configuration 10 28th November 2011 21:55
MyDNS fails to start tristanlee85 Installation/Configuration 11 16th March 2010 15:49
error in installer_base.lib.php shows up while configuring in expert-mode d@ten Installation/Configuration 1 15th September 2009 12:51
Xen on Ubuntu kmand HOWTO-Related Questions 17 5th March 2009 18:43
Postfix error: can't use email!! Please help. miguelpinheiro General 7 16th November 2008 23:00


All times are GMT +2. The time now is 09:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.