오래전 이야기/Open Tools

iptables 로그 분석.

리눅스 엔지니어였던 2008. 9. 15. 17:58

# iptables LOG(/var/log/firewall.log) 기록하기 및 분석하기

#####################################################
#
# OS: RHEL 4
# Homepage: http://sourceforge.net/projects/fwreport
#
#####################################################


- syslog 편집


vi /etc/syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
kern.*                                                  /var/log/firewall.log      ==> 추가

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;kern.none              /var/log/messages  ==> 변경

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

/etc/rc.d/init.d/syslog restart

- vi /etc/sysconfig/iptables에 추가

#log
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -j LOG --log-prefix "Unknown TCP Connection:"
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -j LOG --log-prefix "Unknown UDP Connection:"

iptables-restore < /etc/sysconfig/iptables

tail -f /var/log/firewall.log

cd /usr/local/src

wget http://jaist.dl.sourceforge.net/sourceforge/fwreport/fwreport-1.1.8.tar.gz

tar xvfzp fwreport-1.1.8.tar.gz

cd fwreport-1.1.8

chmod +x install.sh

./install.sh

fwreport -w /var/log/firewall.log

vi /etc/logrotate.d/firewall

/var/log/firewall.log {
    daily
    rotate 30
    compress
    missingok
    notifempty
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
    endscript
}

/etc/rc.d/init.d/syslog restart