Debian11, Server, FWLogWatch for a daily firewall log analysis
FWLogWatch installation and configuration to parse the IPTables logs and report them groupped in very few summary lines by email. It helps to very quickly identify potential attacks and maintain the filter rules.
- FWLogWatch presentation
- Prerequisites
- Installation
- Test with notification
- Materials and links
- Footnotes
FWLogWatch presentation
FWLogWatch 1 is a log parser, very similar to LogWatch, specialized on IPTables lines. It keeps only the IPTables related log lines, group them by source, destination, port, rule, … count them and sort them. At the end, it sends a summary email with the tops counts of the list.
It is very useful to immediately list the bad guys IP addresses and blacklist them, or to detect distributed attack trends. Then, is is easy to decide to block the attacks specifically.
Prerequisites
This article only depends on the Generic machine preparation post serie.
Installation
This tool takes most of the configuration from the commandline invocation. The invocation script uses options defined in /etc/default/fwlogwatch
and this file is automagically generated by DebConf and dpkg at installation time, from interractive questions. The first step is to pre-answer the questions to avoid interractive prompts, before the installation.
Preconfiguration
Basically, I force the following settings :
- Service name resolution (-N), to have the clear name of the port, it is easier to read
- At least 20 similar lines (-m) to include the log line in the email, to avoid single packet notifications and keep the email notification focused on the important stuff
- with duration (-z) to have an idea of the potential attack pattern in time,
- Notifications to root
echo fwlogwatch fwlogwatch/realtime boolean true | debconf-set-selections echo fwlogwatch fwlogwatch/cron_email string "root" | debconf-set-selections echo fwlogwatch fwlogwatch/cron_parameters string "-N -m 20 -z" | debconf-set-selections
Install
Then, the installation is straightforward, all the preconfiguration questions were answered and DebConf will apply the answers automatically.
apt-get install -y fwlogwatch
Bugfix
I found a Bug #987315 1 and submitted it in the Debian Bug Tracking System (BTS). Waiting for the fix, I made a quick patch below. This bug is supposed to be fixed from the 1.4-3 version. In case of issue using systemctl
to stop, start, restart fwlogwatch, here is a quick fix :
sed -i 's/htpdate/fwlogwatch/' /lib/systemd/system/fwlogwatch.service
Test with notification
Despite it should not return a lot of warnings, the installation can be tested quickly, both for the parsing and notifications, with the following command :
/etc/cron.daily/fwlogwatch