Okay, so I finally got iptables working and logging everything it drops.

So what do I do now? Sit here hoping everything is working just fine?

I was thinking I should probably set up some kind of web interface for looking at the dropped packets and then set up rules to explicitly drop packets from particular ips if they keep hounding me.

I did some digging in packages.debian.org and didn't see much that seemed to suit my purposes. I apt-get'ed fwlogwatch and the results of running that program are pretty unimpressive. It pulled ONE ip from the log (there are already TONS of dropped packets and I've only had iptables working properly for a day or so).

Does anyone have any suggestions for iptable log analysis?

Any other suggestions for steps to take security-wise?

I think I would recommend Snort along with SnortAlog.

Snort is an IDS that can look at specific issues other than dropped packets .... and snortalog can look at iptables logs and snort logs....

There is also:

http://www.gege.org/iptables/

http://www.sawmill.net/

and maybe this:
http://freshmeat.net/projects/logrep/

I figure I'll take this thing one step at a time. So yesterday I apt-get'ed snort.

Today I recieved an email from cron.daily with a snort report that was completely empty.

So there was some configuration I missed or something. I did some digging and found this page where they say that snort for woody is outdated and buggy and that I should instead use this:

http://people.debian.org/~ssmeenk/snort-stable-i386/

I put that into my sources.lst file and it failed to connect to it.

I must have entered it wrong in the sources.lst file. What is the format I should be using to add that to the sources.lst file?