FWLogWatch installation and configuration to parse the IPTables logs and report them groupped in very few summary lines by email. It helps to very quickly identify potential attacks and maintain the filter rules.

FWLogWatch presentation

64ac9bbbf41a4f6cfa07cf4ae9c027e0.png

FWLogWatch 1 is a log parser, very similar to LogWatch, specialized on IPTables lines. It keeps only the IPTables related log lines, group them by source, destination, port, rule, … count them and sort them. At the end, it sends a summary email with the tops counts of the list.

It is very useful to immediately list the bad guys IP addresses and blacklist them, or to detect distributed attack trends. Then, is is easy to decide to block the attacks specifically.

Prerequisites

This article only depends on the Generic machine preparation post serie.

Installation

This tool takes most of the configuration from the commandline invocation. The invocation script uses options defined in /etc/default/fwlogwatch and this file is automagically generated by DebConf and dpkg at installation time, from interractive questions. The first step is to pre-answer the questions to avoid interractive prompts, before the installation.

Preconfiguration

Basically, I force the following settings :

  • Service name resolution (-N), to have the clear name of the port, it is easier to read
  • At least 20 similar lines (-m) to include the log line in the email, to avoid single packet notifications and keep the email notification focused on the important stuff
  • with duration (-z) to have an idea of the potential attack pattern in time,
  • Notifications to root 
    echo fwlogwatch fwlogwatch/realtime boolean true | debconf-set-selections
echo fwlogwatch fwlogwatch/cron_email string "root" | debconf-set-selections
echo fwlogwatch fwlogwatch/cron_parameters string "-N -m 20 -z" | debconf-set-selections

Install

Then, the installation is straightforward, all the preconfiguration questions were answered and DebConf will apply the answers automatically.

apt-get install -y fwlogwatch

Bugfix

I found a Bug #987315 1 and submitted it in the Debian Bug Tracking System (BTS). Waiting for the fix, I made a quick patch below. This bug is supposed to be fixed from the 1.4-3 version. In case of issue using systemctl to stop, start, restart fwlogwatch, here is a quick fix :

sed -i 's/htpdate/fwlogwatch/' /lib/systemd/system/fwlogwatch.service

Test with notification

Despite it should not return a lot of warnings, the installation can be tested quickly, both for the parsing and notifications, with the following command :

/etc/cron.daily/fwlogwatch

Materials and links

Footnotes

  1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987315  2 3