# iptables LOG(/var/log/firewall.log) 기록하기 및 분석하기
#####################################################
#
# OS: RHEL 4
# Homepage: http://sourceforge.net/projects/fwreport
#
#####################################################
- syslog 편집
vi /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
kern.* /var/log/firewall.log ==> 추가
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;kern.none /var/log/messages ==> 변경
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
/etc/rc.d/init.d/syslog restart
- vi /etc/sysconfig/iptables에 추가
#log
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -j LOG --log-prefix "Unknown TCP Connection:"
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -j LOG --log-prefix "Unknown UDP Connection:"
iptables-restore < /etc/sysconfig/iptables
tail -f /var/log/firewall.log
cd /usr/local/src
wget http://jaist.dl.sourceforge.net/sourceforge/fwreport/fwreport-1.1.8.tar.gz
tar xvfzp fwreport-1.1.8.tar.gz
cd fwreport-1.1.8
chmod +x install.sh
./install.sh
fwreport -w /var/log/firewall.log
vi /etc/logrotate.d/firewall
/var/log/firewall.log {
daily
rotate 30
compress
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
/etc/rc.d/init.d/syslog restart