Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Iptables Work. What Now?, Iptables monitoring software?
lussumo
post Apr 25 2004, 11:28 PM
Post #1


Grub-er
**

Group: Members
Posts: 33
Joined: 15-March 04
From: Toronto, Ontario
Member No.: 2,590



Okay, so I finally got iptables working and logging everything it drops.

So what do I do now? Sit here hoping everything is working just fine?

I was thinking I should probably set up some kind of web interface for looking at the dropped packets and then set up rules to explicitly drop packets from particular ips if they keep hounding me.

I did some digging in packages.debian.org and didn't see much that seemed to suit my purposes. I apt-get'ed fwlogwatch and the results of running that program are pretty unimpressive. It pulled ONE ip from the log (there are already TONS of dropped packets and I've only had iptables working properly for a day or so).

Does anyone have any suggestions for iptable log analysis?

Any other suggestions for steps to take security-wise?
Go to the top of the page
 
+Quote Post
hughesjr
post Apr 26 2004, 06:07 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I think I would recommend Snort along with SnortAlog.

Snort is an IDS that can look at specific issues other than dropped packets .... and snortalog can look at iptables logs and snort logs....

There is also:

http://www.gege.org/iptables/

http://www.sawmill.net/

and maybe this:
http://freshmeat.net/projects/logrep/


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
lussumo
post Apr 27 2004, 10:52 AM
Post #3


Grub-er
**

Group: Members
Posts: 33
Joined: 15-March 04
From: Toronto, Ontario
Member No.: 2,590



I figure I'll take this thing one step at a time. So yesterday I apt-get'ed snort.

Today I recieved an email from cron.daily with a snort report that was completely empty.

So there was some configuration I missed or something. I did some digging and found this page where they say that snort for woody is outdated and buggy and that I should instead use this:

http://people.debian.org/~ssmeenk/snort-stable-i386/

I put that into my sources.lst file and it failed to connect to it.

I must have entered it wrong in the sources.lst file. What is the format I should be using to add that to the sources.lst file?
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 11th December 2017 - 03:44 PM