Understanding Firewall Logging, Blocking, and Alert Options


You have already seen how you can check the kernel messages for log entries using the tail –f /var/log/messages command. However, more elegant ways to capture and view firewall logs exist. Third-party logging applications such as Firewall Log Daemon (firelogd) and fwlogwatch are available to help you sort and act on the information gathered by the firewall.

Firewall Log Daemon

firelogd (Firewall Log Daemon) is a relatively simple program that can either be run as an application or (you might have guessed) as a daemon. It does two things:

  • It reads the kernel log entries and passes them into a "first in, first out" (FIFO) pipe, which firelogd can then process.

  • Once its buffer is full, it e-mails a report of suspicious traffic to an account of your choosing. You can have it mailed to a local account, or to a remote system of your choice.

The application supports both Ipchains and Iptables. Older versions required you to edit the dmn.h file, and then use the make command to compile the application. Now, however, firelogd supports command-line arguments. You have various options, which are listed in the following sections.

Obtaining firelogd

You can download the most recent version of firelogd from http://rouxdoo.freeshell.org/dmn. The RPM file is best for Red Hat systems. As of this writing, the tarball format does not have any special features.

Syntax and Configuration Options

The syntax for using firelogd is as follows:

/usr/sbin/firelogd [-dmskh] [-b buffersize] [-e email] [-l log]      [-t template] [-]

If you install firelogd using the available RPM, you can also start firelogd by using its startup script (/etc/rc.d/init.d/firelogd). You will have to edit this script to customize it if you want to change or add any of the options.

Commonly Used Options

Following is a list of the most often-used options.

  • Daemon mode If used without any options at all, fwlogwatch runs as a simple application. The -d option has firelogd "fork off" and run as a daemon.

  • E-mail destination The person who receives the e-mail messages. You can specify this either by using the -e option, or by editing the /etc/rc.d/init.d/firelogd script that comes with the RPM.

  • Log file The location of the log file that firelogd reads from. On Red Hat Linux, for example, this is usually /var/log/messages. You can specify a log file by either using the -l option, or by modifying the /etc/rc.d/init.d/firelogd script.

  • Buffer size Tells firelogd to wait for x number of entries before mailing them. The default is 10, which means a single e-mail will contain 10 entries. A value of 100 may be a more reasonable number. Using the default, you will receive dozens of e-mails in the case of a simple Nmap scanning attack. Experiment with these settings. If 100 gives you too little information about the nature of traffic at your firewall, then decrease the setting.

  • Template firelogd allows you to customize the alert messages. You can have firelogd send you a great deal of information, or you can configure it to be as sparse as possible. The /etc/firelog.conf file contains the default template.

You can learn more about the additional options by consulting the firelogd man page.

Message Format

The e-mail message you receive will include multiple packet hits giving you the following information:

  1. The date and time of the rejected or logged packet.

  2. The name of the chain responsible for dropping or logging the packet.

  3. The input interface.

  4. The packet's TTL.

  5. The IP of the firewall host and the number of the port to which the packet was sent (the destination port).

  6. The origin of the IP address. Remember, it is possible to spoof IP addresses.

Here is an example of a default firelogd log entry:

01:28:37/May-5 ****S* TCP *D* REJECT/input-9 eth0 ***|***** ttl:64 badguy.hackerz.com -> hems(151) 128.37.08.43:4218 -> firewall.goodguys.com:151

Here is output from a more detailed example:

prompt# /usr/sbin/firelogd     LOG ENTRY: April  5 09:53:37 firewall kernel: Packet log: input REJECT eth0 PROTO=6      45.128.2.3:2748 128.1.2.3.4:3049 L=60 S=0x00 I=0 F=0x4000 T=64 SYN      (#9)  CONTEXT INFORMATION:   Time:  April 5 09:53:37   Msg:  REJECT/input-9   In:   eth0   Out:   Mac:     IP DATAGRAM INFORMATION:   Source:  45.128.2.3 badguy.badguy.com   Dest.:  128.1.2.3.4  firewall.goodguys.com   IPlen:  60   TOS:  TOS-0x00, PREC-0x00 -> ***|*****   TTL:  64   FRAG:  0x4000 -> *D*     ICMP SPECIFIC DATA:   Type:   Code:   Info:   Triggering Packet:     TCP SPECIFIC DATA:   Window:   Reserved Bits:   Flags:  SYN -> ****S*     UDP SPECIFIC DATA:   UDP Datagram length:      TCP/UDP SERVICE PORTS:   Source Port: 2748(fjippol-polsvr) -> 3049(nsws) 

In the preceding output, the attacking host's IP address is 45.128.2.3, and the firewall's IP address is 128.1.2.3.4. In this particular example, ICMP logging is not activated on the kernel. However, you can gather information about the nature of the attack by viewing the logs. This is an example of a simple, full TCP scan.

Customizing Messages

You can customize firelogd messages by editing the /etc/firelogd.conf file and changing the values to suit your own situation. The default file comes with several suggested templates, which are commented out by using the following two words:

startcomment endcomment

firelogd will not read anything within these lines. firelogd contains three entries. The first, discussed previously, is moderately verbose. The second is described as a "one-liner," and gives information about the time of the scan, as well as the source and destination IP addresses and ports. The final option is quite verbose, informing you about the details of the connection. You can, of course, create your own entry using the syntax described in the /etc/firelogd file. For example, the following sample code records the source IP address and the destination port address, as well as the interface where the traffic occurred. The text "From the firewall at the company" acts as a header for the information.

tab From the firewall at the company. nl tab srcip sp r_dstpt sp in sp 

The tab, space, and nl entries create tabs, single space, and new lines, respectively. The char srcip field has firelogd inform you of the source IP address of the packet. The r_dspt field provides the destination port for the packet. Finally, the char in field has firelogd report the interface. You can, of course, specify your own text and other options. The /etc/firelog.conf file shows you all of the options. Figure 6.2 shows an example of the configuration file.

click to expand
Figure 6.2: The /etc/firelog.conf File

Note

firelogd simply parses the log files generated by either Ipchains or Iptables. It does not generate the log files themselves. Therefore, you must have logging enabled through Iptables or Ipchains in order for firelogd to operate properly.

Reading Log Files Generated by Other Firewalls

You can read log files generated by other systems, as well. For example, if you downloaded the /var/log/messages file from a remote system, you can read it with the following command:

cat messages | firelogd -

The hyphen allows the application to read the command directly from standard input.

Configuring and Compiling firelogd

  1. Obtain firelogd from http://rouxdoo.freeshell.org/dmn/. The RPM file is best for Red Hat systems. The tarball does not provide any special configuration options.

  2. Install the RPM. Once you install the RPM, the firelogd will automatically begin running. Stop firelogd by issuing the following command:

    /etc/rc.d/init.d/firelogd stop
  3. Issue the following command:

    /usr/sbin/firelogd
  4. Use a port scanner such as Gnome Service Scan or Nmap to scan your firewall. Remember that the firewall must have logging enabled at the interface you are scanning.

  5. You should see output on your screen. You will not receive any e-mail message, because you have not supplied any arguments.

  6. Stop firelogd by pressing CTRL + C.

  7. Now, prepare firelogd to run as a daemon. Make a copy of the /etc/rc.d/init.d/firelogd initialization script file and name it firelogd.bak. Edit the original so that the entries are as follows:

    QSIZE=30 # Who is the administrator MAIL=your_address@yourcompany.com # Where is the output template

    You may have to adjust the QSIZE settings to fit your own situation.

  8. Make a copy of the /etc/firelogd.conf in case anything goes wrong, and then edit the original file so that verbose logging is enabled. To do this, first comment out the default log entries, which are immediately below the text that reads "I like the look of the one below." Use the startcomment and endcomment keywords. Then, uncomment the entry that begins with the text that reads "This one is very verbose," and save the file.

  9. Start firelogd:

    /etc/rc.d/init.d/firelogd start
  10. Use Gnome ServiceScan or Nmap to conduct an attack that scans multiple ports of your firewall.

  11. View the message using your e-mail client.

  12. Re-edit the /etc/firelogd file and comment out the verbose entries and uncomment the entries that are beneath the text that reads "This one is a one-liner." This entry will send terse messages. If you want, set the QSIZE value to 100, which means that each e-mail firelogd sends will have 100 entries in it. It also means that firelogd will not send you alerts as often; the larger the buffer value, the longer it will take to receive a message. Consequently, firelogd will be less responsive to attacks, and will not inform you as often. However, one longer message is likely easier to read than several shorter messages.

fwlogwatch

fwlogwatch, written by Boris Wesslowski, is a logging and reporting mechanism that also allows you to automatically block all traffic that is identified as an attack. Used in conjunction with firelogd, it helps create a system that continuously keeps you informed concerning port scans and other network events that surpass the thresholds you set. fwlogwatch is available at the CERT-RUS Web site (http://cert.uni-stuttgart.de/projects/fwlogwatch) and Wesslowski's personal Web site (www.kyb.uni-stuttgart.de/boris/software.shtml). It is available in both tarball and RPM format, and there is no significant difference between the two. Although fwlogwatch is similar to firelogd, it is far more versatile. You can configure fwlogwatch to do the following:

  • Parse the firewall log file and generate user-friendly HTML reports, which you can read with any Web browser. fwlogwatch can read log files from any Ipchains or Iptables-enabled system, as well as Cisco firewalls and routers.

  • E-mail an alert to you when suspicious activity occurs (for example, when numerous connection attempts—usually port scans—surpass the threshold you set in /etc/firelogwatch.config, the fwlogwatch configuration file). As with fwlogwatch, this option will work only on packets that you decide to log.

  • Issue a Windows Messenger Service alert that creates a "pop up" message to a Windows NT or 2000 server of your choice.

  • Deliver summary-based e-mail messages informing management of the scans that have occurred.

  • Insert Ipchains or Iptables-based rules that block hosts from connecting to your firewall and/or internal network hosts.

  • Execute custom-created commands. You can have fwlogwatch run any script that you want to create.

fwlogwatch Modes

fwlogwatch operates in one of three modes. Table 6.3 describes each.

Table 6.3: fwlogwatch Modes

Mode

Description

Realtime

fwlogwatch operates as a daemon and reads the kernel messages file (usually /var/log/messages), waiting for Ipchains/Iptables-generated packets to occur. When the packets surpass the threshold, fwlogwatch generates an alert. This mode is generally not for generating reports. Several Common Gateway Interface (CGI) scripts are available to help you generate HTML reports.

Interactive

Allows you to have fwlogwatch read the /var/log/messages file and issue e-mail messages to various destinations. To use this mode, you must uncomment various lines, such as at least one e-mail account, in fwlog watch.conf (or whatever name you are using). The e-mail messages are formatted according to the information found in the /etc/fwlogwatch.template file. When you start fwlogwatch in interactive mode, it will parse the /var/log/messages file and then ask you if you want to send an e-mail message to your recipient.

Log Time

Has fwlogwatch inform you concerning the total number of entries in the/var/log/messages file. It also includes the first and last entries the kernel makes.

You can also manually generate HTML reports. You can generate the help menu, which shows all your command line options, by entering fwlogwatch -h.

You can also consult the fwlogwatch man page for additional details. This chapter will focus on generating reports and configuring fwlogwatch to send real-time alerts.

fwlogwatch Options and Generating Reports

Table 6.4 is a list of the more relevant options, if you choose not to use the /etc/fwlogwatch.config file.

Table 6.4: fwlogwatch Options

Option

Description

-c <file>

Allows you to specify your own configuration file. The default is /etc/fwlogwatch.config. If you leave this filename at its default, you will not be able to manually use fwlogwatch or use CGI scripts to generate automatic reports.

-f <file>

Allows you to read a different kernel log file, rather than the default of /var/log/messages.

-L

Has fwlogwatch give the time of the first and last log entry.

-l <time>

Allows you to specify only certain events in terms of time. Arguments to the -l option include seconds (s), hours (h), minutes (m), days (d), weeks (w), months (m), and years (y). The default is to not have any limit at all, which can result in huge HTML log entries. If, for example, you wanted to generate a log file for only the last two days, you would specify -l 2 at the command line.

-n

Resolves host names in the log file. This can slow performance considerably.

-v

Places fwlogwatch into verbose mode. Use it twice to obtain more information.

-z

Shows the amount of time between the start of a perceived attack and the end.

-m value

Has fwlogwatch ignore all identical packets that number less than the value. The result is that you will receive entries that have a higher uniqueness value. As far as alerting is concerned, you will probably want to ignore the receipt of multiple packets if they are of only one type. For example, if you want to ignore all identical packets unless the firewall receives 15 of them, you would specify -m 15 in the command line.

-s, -d,

Informs you concerning the source and destination ports.

-t

If more than one of the same type of packet is logged, then show the start and end times that they entered the system.

-z

Show the total amount of time that elapses between a series of entries. The series is determined by the threshold.

-y

List all elements of the TCP session.

-p

Informs you concerning all logged protocols (TCP, ICMP, and so forth).

-o

Allows you to specify the location of an output file.

-w

Tells fwlogwatch that the output file should be in HTML.

Generating Reports

As of this writing, if the /etc/fwlogwatch.config file is present, the fwlogwatch binary automatically ignores any options you specify at the command line. This poses a problem, because if you want to manually generate a report, you need to specify command-line options.

Note

You will need to rename the /etc/fwlogwatch.conf file to some other name if you want to use fwlogwatch to generate HTML reports via CGI or cron.

To solve this problem, rename the /etc/fwlogwatch.config to /etc/fwlogwatch.config.alert. This way, you can still use this file to generate alerts, as discussed later, and still generate manual reports, when necessary. Although many different combinations are available to you, the following command is quite useful:

prompt$./fwlogwatch -v -v -s -d -t -z -y -n -p -w -l 2d -o firewall.html -f  /var/log/messages      Resolving firewall-linux.goodguys.com      Resolving 10.100.100.1.1 from cache      Resolving 192.168.2.2 from cache      Resolving sl-gw8-sj-0-3.sprintlink.net       Resolving 217.0.54.100      Resolving pD9003664.dip.t-dialin.net      Resolving 192.168.2.2 from cache      Resolving 194.91.224.19      Resolving 10.46.247.251      Resolving pD9003664.dip.t-dialin.net      Resolving adsl-63-206-155-186.dsl.lsan03.pacbell.net       Resolving cpe-24-221-58-193.az.sprintbbd.net      Resolving www.cnn.com      Resolving www.abcnews.com from cache prompt$ 

The preceding command has fwlogwatch read the -f /var/log/messages file and generate a report named firewall.html. The "Resolving . . ." lines indicate that fwlogwatch has found log entries and is finding the IP address or DNS name for the hosts. Notice that the preceding command reads the firewall entries for the last two days (-l 2d), and that it uses the -w option to generate an HTML file, instead of a plain text file. Figure 6.3 shows an example of the HTML file, which can be viewed with any Web browser.

click to expand
Figure 6.3: Viewing an fwlogwatch HTML File

Using fwlogwatch manually is especially useful if you plan to view log file entries from a remote host, such as another Linux system or a Cisco router. You can obtain the log file, copy it to your home directory, and then issue the preceding command, specifying the log file you want to read.

As long as you have renamed the /etc/fwlogwatch.config file, you can use cron to have fwlogwatch automatically create HTML reports and place them in your Apache Server home directory (or any other properly aliased directory).

Generating an HTML-Based Firewall Log with fwlogwatch

  1. Make sure that your system is using either Ipchains or Iptables to log packets.

  2. Create a user and a group named bw. These groups are necessary to enable fwlogwatch to run additional processes as a nonroot user.

  3. Install the fwlogwatch RPM or tar ball.

  4. Rename the /etc/fwlogwatch.config file to /etc/fwlogwatch.config.alert.

  5. Issue the following command to create a simple HTML report:

    fwlogwatch -v -v -s -d -t -z -y -n -p -w -l 2d -o firewallreport.html -f  /var/log/messages

  6. Open the firewallreport.html file in any browser. This report is, of course, portable, allowing anyone (even Windows users) to view it (see Figure 6.4).

    click to expand
    Figure 6.4: Viewing a Report in Microsoft Internet Explorer

Automating fwlogwatch

Perhaps the most intriguing feature of fwlogwatch is its ability to automatically configure Ipchains/Iptables and issue alerts. The best way to do this is to edit the three configuration files to suit your needs. The three files you will use are:

  • /etc/fwlogwatch.config (or whatever you rename it to) The primary configuration file. If you change this filename, then you must use the -c option to specify it when starting fwlogwatch.

  • /usr/sbin/fwlw_notify A script that allows you to configure all alerting options, including where e-mail and Samba/Windows "pop up" messages will be sent. Do not confuse these options with the interactive options, which are mutually exclusive. In other words, if you want to have fwlogwatch send you alerts, do not configure the interactive mode, which will ask you if you want to send each report that fwlogwatch generates.

  • /usr/sbin/fwlw_respond This script determines Ipchains and Iptables behavior. You do not have to edit this file.

The fwlogwatch Configuration File

You can customize all fwlogwatch features by editing the /etc/fwlogwatch.config file (or /etc/fwlogwatch.config.alert, if you have renamed it in order to use the manual option). Figure 6.5 shows the configuration file.

click to expand
Figure 6.5: The fwlogwatch Configuration File

This file allows you to automatically invoke the options listed earlier in Table 6.4. For example, this file allows you to:

  • Set verbose logging options.

  • Create HTML files

  • Customize the alert threshold.

  • Specify a different input file from /var/log/messages.

  • Exclude hosts and ports.

  • Sort host, protocol, port, and IP entries in the HTML files, as well as configure the files to inform you concerning the time the packets were generated, and the duration of a perceived attack.

  • Determine how much of the kernel log file to read (for example, only two minutes, three days, and so forth).

  • Set realtime, interactive, and log times mode options.

  • Create a proprietary Web server (not recommended).

If you change any of these values, you will have to restart fwlogwatch so that it rereads this file.

Setting the Alert Threshold in fwlogwatch.config

It is likely that you will have to experiment with the ideal alert threshold for your firewall. The default value is 10, and you may find it necessary to increase this value significantly (say, to 100) so that you are not overwhelmed by the data you generate.

Understand, however, that if you receive too much data, you may also need to adjust the logging in Iptables/Ipchains.

Excluding Hosts

fwlogwatch will monitor all entries that pass through the kernel log file (usually /var/log/messages). fwlogwatch will block any interface—including its own—that violates the alert threshold value. One of the features found in fwlogwatch is the ability to exclude certain IP addresses and address ranges from alerts and Ipchains/Iptables rules. This is necessary, because anyone with a port scanner that can spoof IP addresses can conduct a port scan on your firewall and specify an IP address important to your network. Such addresses might include the DNS and e-mail servers necessary to keep your business on a paying basis. It is possible to exclude these addresses from fwlogwatch by opening the configuration file and finding the following lines:

known_host = known_host =

fwlogwatch allows you to get much more granular by using the additional entries shown here:

#exclude_src_host       = #exclude_src_port       = #exclude_dst_host       = #exclude_dst_port       = #include_src_host       = #include_src_port       = #include_dst_host       = #include_dst_port       =

These entries allow you to exclude certain source and destination ports, as well as source and destination IP addresses.

Notification Options

To configure fwlogwatch to notify you about attacks, you must first edit the /etc/fwlogwatch.config file and uncomment the following values:

realtime_response notify

Once these values are uncommented, and once you have restarted fwlogwatch, it will automatically call the /usr/sbin/fwlw_notify file. These files determine who will be informed, and what will be done, respectively. You will have to restart the fwlogwatch binary for these changes to take effect.

Thankfully, both the fwlw_notify and fwlw_respond files are even easier to understand than fwlogwatch.config. The /usr/sbin/fwlw_notify script, shown in Figure 6.6, allows you to determine who will receive notification messages, and allows you to determine how this notification will occur.

click to expand
Figure 6.6: The /usr/sbin/fwlw_notify File

E-Mail Settings

All you have to do is uncomment the lines for any function you want to enable. Then, enter your own e-mail address in the EMAIL= field. The default setting is for fwlogwatch to send e-mail to root@localhost. If you are happy with this setting, you don't have to edit this line. The next entry to edit determines the actual contents of the e-mail message. By default, the message will contain the following information:

  • Number of packets (as indicated by the $1 value)

  • The source IP address (as indicated by the $2 value)

  • The destination IP address (as indicated by the $2 value)

You can, of course, edit any aspect of the e-mail configuration settings. If, for example, you want to change the subject heading, edit the quoted line after the -s field. Just make sure that you retain the quotation marks, as they allow you to enter multiple words into one subject line. Figure 6.7 shows an example of an e-mail alert.

click to expand
Figure 6.7: Viewing E-Mail Alerts Generated by fwlogwatch

Note that Figure 6.7 actually shows two e-mail messages. The first e-mail message is a result of a log entry that blocks and logs all ICMP traffic. The second message has been generated at the same time. It is an alert informing the systems administrator that the loopback interface (127.0.0.1) has generated an attack. As a result, the loopback interface will be added to the Iptables fwlw user-defined chain, and no traffic will be allowed to pass through it. In many cases, this is not a problem, although it is a false positive. This systems administrator needs to add a rule excluding the local host being blocked.

Windows Pop-Up Messages

fwlogwatch uses the smbclient application to send messages to remote Windows hosts. All you have to do is uncomment and edit the SMBHOST= line so that a message is sent to a real host, and then uncomment the next line so that a message is sent. For example, to send a pop-up message to a host named sandi, you would change the SMBHOST= entry and uncomment the following line:

SMBHOST=sandi /bin/echo "fwlogwatch ALERT on $HOSTNAME: $1 packet(s) from $2" |      /usr/bin/smbclient -M $SMBHOST

You can alter the second line at will. Read the script for additional values to enter. For example, if you want to be informed of the protocol, you could use the $4 value.

This file also supports the creation of custom log entries through the use of the logger command, as well as the creation of a custom log file. fwlogwatch also allows you to create your own alerting options. If, for example, your Linux system has a paging application installed, you can have your message sent directly to you. Figure 6.8 shows an example of a pop-up message received by a Windows 2000 Advanced Server system.


Figure 6.8: A Windows 2000 Advanced Server "Pop Up" Message

Response Options

To configure fwlogwatch to actually respond to attacks, edit the /etc/fwlogwatch.config file and uncomment the following values:

realtime_response respond

Then, restart fwlogwatch. The /usr/sbin/fwlw_respond file is straightforward. As with /usr/sbin/fwlw_notify, you can edit this file to enter custom commands. You can, for example, have this script load additional scripts and applications that can reconfigure the local system, as well as remote systems (see Figure 6.9).

click to expand
Figure 6.9: The fwlw_Respond File

How Hosts Are Blocked

By default, fwlogwatch creates a user-defined Ipchains or Iptables entry for the specific table and/or chain receiving the traffic. You can, of course, edit the script to alter this behavior, although it works quite efficiently as written.

fwlogwatch and Root Privileges

Real-time response is protected. Only root can initiate fwlogwatch to use Ipchains/Iptables blockings or e-mail and Samba-based alerts. Once initiated, fwlogwatch will then run as the user bw. However, if you only require fwlogwatch to generate reports, you do not need to run it as root. You must still ensure that fwlogwatch can read the /var/log/messages file. You can do this by placing the user who will execute fwlogwatch in the same group as the log file.

Note

In regard to fwlogwatch, alerting and reporting are always two separate things. Do not be surprised that the e-mail message you receive is quite terse. You will learn how to automate reports using CGI scripts later in this chapter.

Note

In order to send pop-up messages, your system must have the samba-client package installed. If you are using RPM, the following command will tell you if you have the samba-client package installed:

rpm -qa | grep samba

Otherwise, search for the smbclient application. The Samba server is not necessary, and should not be activated at your firewall.

Configuring fwlogwatch to Send Automatic Alerts and Block Users

  1. Make sure that you have Iptables/Ipchains entries that your kernel can log. You must have either the -l or -j LOG entries activated on at least one rule.

  2. If you have not already, rename your /etc/fwlogwatch.config file to /etc/fwlogwatch.config.alert. The file named /etc/fwlogwatch.config should no longer exist.

    If you do not do this, you will not be able to issue command-line options, nor will you be able to issue alerts.

  3. Edit the /etc/fwlogwatch.config.alert file and adjust the following parameters:

    • Enable verbose logging by simply uncommenting both lines that read verbose.

    • Uncomment the resolve option.

    • Enable the times and duration options. The former gives the times of the connections, while the latter gives the entire duration of the session.

    • Uncomment the known_host lines, and enter the IP addresses of your DNS and e-mail servers, as well as others that you do not want to block.

    • Enable the html line so that the daemon generates HTML pages.

    • Uncomment the recent value and change it from three days (3d) to one day (1d).

    • Uncomment the at_least value to 10 may have to change lower.

    • Enable and change the alert_threshold setting to 15.

    • Activate the notify and respond values by simply uncommenting them.

  4. Edit the /usr/sbin/fwlw_notify file and adjust the following parameters:

    • Activate the e-mail and Samba settings.

    • Enter an e-mail address that you can check.

    • In the Samba settings, alter the HOST=line so that fwlogwatch sends a message to the correct system. Make sure that your Windows NT/2000 system is configured to receive messages.

  5. Review the /usr/sbin/fwlw_respond file, but do not make any changes unless you have a very good idea of what to do.

  6. Start fwlogwatch, making sure you tell it where the configuration file is:

    /usr/sbin/fwlogwatch -c /etc/fwlogwatch.config.alert
  7. Now, using Nmap or Gnome ServiceScan, conduct a scan of your firewall so that your activity matches some of the Ipchains/Iptables rules you have created.

  8. You will receive e-mail and Samba "pop up" messages informing you that activity has surpassed established thresholds.

Using fwlogwatch with CGI Scripts

fwlogwatch ships with two CGI scripts that, with minor modifications, can allow you to check your logs via a Web server. Although it is often important to shut down all services, activating Apache Web Server may be a useful and relatively safe exception to this rule. If you have installed the scripts using the RPMP, you can obtain the raw scripts in the /usr/share/doc/fwlogwatch-0.3/ directory. If you have installed the files using a tarball, they will be in the source directory.

The first CGI script is quite simple. It creates an HTML page and tells fwlogwatch to place all of the events that have occurred within the last hour inside of it. With some modifications, it can create an HTML file in your Apache Server directory (see Figure 6.10).

click to expand
Figure 6.10: The fwlogsummary.small.cgi File

This file first has the command echoed so that if it is run by cron, a message will be sent to the systems administrator via e-mail, informing him or her that the command has been executed. The actual command is shown here:

/usr/sbin/fwlogwatch -w -l 1h -z -s -d -o /var/www/html/fwlogsmallsummary.html

You can, of course, alter this script as you wish. For example, if your Web server's HTML directory is located at /home/httpd/html/, you can edit the file accordingly. If you want to have a more verbose log entry, you can specify -v -v. However, this file is meant specifically for a quick rundown of the last hour's traffic.

To automate this file, place the script in the /etc/cron.hourly directory, or create the following crontab owned by root:

1 * * * * /fwlogsummary/fwlogsummary.small.cgi

When this script executes, you will be able to view the HTML file, as long as you have activated Apache Server (see Figure 6.11).

click to expand
Figure 6.11: Viewing the Results of the fwlogsummary.small.cgi Script

Obtaining More Information

For a more detailed view of the file, use the fwlogsummary.cgi file. Before you use this file, however, edit it so that it has the following characteristics:

  • The file should point to a directory supported by your Web server. As of this writing, the fwlogsummary.cgi file defaults to using the /home/httpd/html/ directory, so make sure you specify the correct directory for your Web server. Red Hat 7.1 uses the /var/www/html/ directory, so create a subdirectory named /var/www/html/fwlogdaemon/. Or, you can create an entirely different directory and use an alias. It is up to you. It is important, however, that you create a dedicated directory, because the fwlogsummary.cgi script will create several files inside of it. The most important file is index.html, which contains several links that allow you to view all log entries as defined by the $RECENT value (the default, which you can change, is one hour).

  • The file should specify the full path of the fwlogwatch binary.

  • Remove the line that reads <a href="/cgi-bin/fwlogwatch.cgi">Regenerate summaries now</a>. As of this writing, this feature is not yet supported sufficiently. The edited file is shown in Figure 6.12.

    click to expand
    Figure 6.12: The fwlogsummary.cgi File

You can make additional trivial changes, such as altering the colors used in the HTML file. Once you have edited the file to your liking, you can place a script in the /etc/cron.hourly file, or create a crontab similar to the one discussed for the fwlogsummary.small.cgi script.

1 * * * * /fwlogsummary/fwlogsummary.cgi

Viewing the Results

Once you have edited the necessary files, created the necessary directories, and started the daemons (Apache Server and cron), you can use your Web browser to view the index.html file generated by fwlogwatch.cgi. You will have to specify a directory or alias, but you will not have to specify a filename, because most Web servers present index.html by default. Thus, if your firewall Web server's root directory for HTML pages is /var/www/html/, and you have created a directory named /var/www/html/fwlogwatch/, then you would enter the following URL: http://firewall.goodguys._com/fwlogwatch. Figure 6.13 shows an example for the system named "keats."

click to expand
Figure 6.13: Viewing the Index Page Generated by fwlogsummary.cgi

If you click on the All and name resolution link, for example, you will see a report summary similar to that shown in Figure 6.14.

click to expand
Figure 6.14: Viewing the All and Name Resolution Page

You will see that this particular HTML page is similar to the results of the Fwlogsummary.small.cgi file, except that you will see more hosts listed. The additional links will help you determine what has happened at your firewall.

Note

When you capture traffic using the Linux Netscape browser, you may find that it will "hang" for some time before rendering the HTML. You may have to wait for a few minutes to see the Fwlog output. At other times, you may find that the browser has crashed. Lynx, a text-based Web browser, and Windows-based browsers usually do not exhibit this behavior.

Using cron and fwlogwatch CGI Scripts to Generate an Automatic HTML Report

  1. Create the /fwlogsummary directory. This directory will hold your CGI scripts.

  2. Find and copy the fwlogsummary.small.cgi and fwlogsummary.cgi scripts to the /fwlogsummary directory.

  3. Find the directory that contains your Web server's HTML documents. Create a new subdirectory off this directory named fwlogwatch. This directory will contain all of the files generated by the fwlogsummary.cgi file.

  4. Create another subdirectory off your Web server's HTML document directory named fwlogwatchshort. This directory will contain the results of the fwlogsummary.small.cgi script.

  5. Edit the fwlogsummary.small.cgi and fwlogsummary.cgi scripts so that they reflect your environment. For example, make sure that the both scripts refer to the fwlogwatch subdirectory. The fwlogsummary.small.cgi script should specify the fwlogsmallsummary.html file as an output file. This file should go into the fwlogwatchshort directory. Be especially careful to edit the fwlogsummary.cgi file so that it refers to the correct Web server directory, and that it no longer has the <a href="/cgi-bin/fwlogwatch.cgi">Regenerate summaries now</a> link. Read earlier in this chapter for more details.

  6. Now, create crontab entries for each script. Make sure that you specify the correct path of the CGI scripts. For example, if you have created the /fwlogsummary directory, you would create the following crontab entries:

    1 * * * * /fwlogsummary/fwlogsummary.small.cgi 1 * * * * /fwlogsummary/fwlogsummary.cgi

    You can create these entries by issuing the following command as root:

    crontab -e

    You can also create scripts in the /etc/cron.hourly directory, if you wish.

  7. Now, after 30 minutes, you will see that these scripts have generated several files. Point your Web browser to your firewall's /fwlogsummary subdirectory, and view the links generated by the fwlogsummary.cgi script.

  8. For a more succinct description of the last hour's activities, point your browser at the /fwlogwatchshort directory. You will have to specify the fwlogsmallsummary.html file, because it is doubtful that your Web browser uses this as a default document. If you want, you can edit the CGI script to create an index.html file. For the purposes of this exercise, a different name was used to eliminate confusion with the /fwlogsummary directory.

  9. Finally, consider the following options:

    • If you are using Apache Server, use .htaccess files and htpasswd so that this information is password protected.

    • Further secure this directory with Secure Sockets Layer (SSL). You can learn about enabling SSL support with Apache Server at www.openssl.org.

Additional fwlogwatch Features

fwlogwatch contains the following features not discussed in this chapter:

  • Sorting By editing the /etc/fwlogwatch.conf file, you can determine which events are listed first. This is a very useful feature, which allows you to emphasize information that it is important to you.

  • Web server The Web server offered by fwlogwatch is not as robust as Apache Server, nor is it as well documented. It is advised that you use Apache Server if you want to use CGI at all.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net