Well, i got it to work,
Finally, after a lot of research, i kind of understand how to use it.
First, edit you firewall script, if you are using rc.fireall, ( like me) search a variable named LOGGING="no" and change it to yes.
I dont know why, it comes as no as default.
Then, edit /etc/syslog.conf
and add this line:
# Log all firewall messages to /var/log/firewall
kern.info /var/log/firewall
Note: the file firewall dont exists, you´ve to create it, read below.
Then, go to /var/log/firewall
and type this: touch /var/log/firewall
===============================
Ok, now lets get fwlogwatch working.
First, i recommend to you to " man fwlogwatch"
In case that you already read it, or you´re just to lazy:
Edit: /etc/fwlogwatch.config
This are some extracts of my fwlogwatch.config file to use as an example:
Note: what i didnt posted here i just didnt edited them
Code:
### Global options ###
# Use 'verbose' if you want extra information and log messages.
# Use it twice for even more info. fwlogwatch is quiet by default.
# Command line option: -v[v]
#
verbose = yes
verbose = yes
# Specify the input file(s) if you don't want to use the default. Use one line
# for each file. Compressed files (gzip) are supported. You can use '-' for
# standard input (stdin). In realtime response mode the daemon needs the
# absolute path to the file.
# Command line option: [file(s)]
#
input = /var/log/firewall
# The following six options define which criteria will be considered when
# comparing logged packets. You can turn off the source or destination IP
# address distinction ('src_ip'/'dst_ip') or activate the protocol, source
# and destination port and TCP option distinction
# ('protocol'/'src_port'/'dst_port'/'tcp_opts').
# Command line options: -S / -D / -p / -s / -d / -y
#
src_ip = on
dst_ip = on
protocol = on
src_port = on
dst_port = on
tcp_opts = on
# With the following four options you can customize the colors of the HTML
# output (summary and realtime response status page), use the RGB value
# with '#' or directly one of the 16 basic HTML color names (aqua black
# blue fuchsia gray green lime maroon navy olive purple red silver teal
# white yellow).
#
textcolor = white
bgcolor = black
rowcolor1 = #555555
rowcolor2 = #333333
### Log summary mode ###
# Use 'data_amount' if you want so see the sum of total packet lengths for
# each entry (this obviously only works with log formats that contain this
# information).
# Command line option: -b
#
data_amount = yes
# Use 'start_times' and/or 'last times' if you want to see the timestamp
# of the first and/or last logged packet of each entry.
# Command line options: -t / -e
#
start_times = yes
end_times = yes duration = yes
# Use 'html' to enable HTML output.
# Command line option: -w
#
Now you should test fwlogwatch, edit fwlogwatch again, and where it says, output file= <enter here you testlog.txt>
Note this is just for testing, you can comment it back after the test finish(or leave like that, it is up to you)
now, run fwlogwatch , and check the testlog.txt, you created, you should see some logs of you firewall, if not, then something is wrong, check it.
Great, you have fwlogwatch working.
=======================
Create a cron job for fwlogwatch, and send the output as an email to you.
as root, type crontab -e #you will add all your cron tasks here
(in FC2, it uses vi as the text editor, vi is great
)
In case you dont know how to use vi: press "i" (insert) to start writting, now add this line:
#!/bin/bash
10 3 * * * fwlogwatch -U "fwlogwatch Report" -T
youremail@server.com
press "ESC" and ZZ to save and exit
This will run fwlogwatch every day, at 03:10 and send an email of the report to your emai account
Done!
Recommendations:
You should use chkrootkit, to search for rootkits on you linuxbox,
http://www.chkrootkit.org/
This will help you interpret what you are reading, and also to know if you are being attacked, or whatever
Well, that is pretty much it!
Hope it will help you, if you have any problem or suggestion, just post,
Regards,
|||Electronkz|||
Linux Registered User #344616