Download This PDF! - Linux Magazine

linuxpromagazine.com
  • No tags were found...

Download This PDF! - Linux Magazine

COVER STORYFirewall Logfile AnalyzersAnalysis Tools for Firewall LogfilesFor the RecordNetfilter firewalls create highly detailed logfiles that nobody really wants toinspect manually. Logfile analysis tools like IPtables Log Analyzer,WallfireWflogs, and FWlogwatch help administrators keep track of developments andfilter for important messages. BY RALF SPENNEBERGIn a firewall-protected environment,the administrator must keep track ofdevelopments by logging as manytransactions as possible. At the sametime, admins want to avoid wadingthrough megabytes of logfiles justbecause they are worried about missinga clue.Logfile HelpersProtocal analysis tools provide a solutionto this dilemma. Linux users have manyoptions for firewall analysis programs. Inthis article, we’ll look at three alterna-tives: IPtables Log Analyzer [1], WFlogsfrom the Wallfire project [2], and FWlogwatch[3]. All three programs support awide range of protocol formats and serveup the results as neatly formatted HTMLpages; WFlogs and FWlogwatch additionallyhave realtime modes. IPtablesLog Analyzer is the only tool to use adatabase for message storage.IPtables Log Analyzer relies on a specialfeeder. Harald Weltes’ Ulogd [4]handles this natively, replacing thelegacy syslog system. Unfortunately, freeanalysis tools that support the Ulog databaseare rare. Ulogd-php [5] is one of thefirst. In contrast to all other logging systems,Ulogd can log events that caused afirewall alert in its database.IPtables Log AnalyzerIPtables Log Analyzer serves up IPtableslogs for Linux 2.4 or 2.6 in the form ofneat HTML pages (see Figure 1). Thetool includes three components. Thedatabase feeder stores logfile entries in aMySQL database; admins can then use aweb interface to access the database.The database feeder, the database, andthe web interface can run either on thesame machine or on separate machines.In the latter scenario, the database cancollect logfiles from multiple firewalls.After deciding on the architecture, theadministrator needs to create a MySQLdatabase called iptables, allow the usersiptables_admin and iptables_user access,and generate tables within the database(Listing 1). Of course you also need todefine IPtables rules. Two user-definedchains are the best approach (Listing 2).Creating ChainsInstead of -j ACCEPT, IPtables will nowuse -j LOG_ACCEPT. These modificationsFigure 1: The IPtables Log Analyzer gives administrators a clear view of firewalllogfiles.Figure 2: The WFlogs Summary page shows how many packages have beenlogged for each source.30 January 2005 www.linux-magazine.com


COVER STORYFirewall Logfile AnalyzersListing 3: FwlogwatchRealtime Mode01 realtime_response = yes02 parser = n03 run_as = fwloguser04 recent = 60005 alert_threshold = 506 notify = yes07 notification_script = /usr/sbin/fwlw_notify08 server_status = yes09 bind_to = 127.0.0.110 listen_port = 888811 status_user = ralf12 status_password =i0QlAmOg4PrAA13 refresh = 10Admins can use the integrated webserver for browser-based status monitoringof FWlogwatch.FWlogwatch supports the IPchains (ioption), Netfilter (n), IPfilter (f), IPFW(b), Cisco IOS (c), Cisco PIX (p),Netscreen (e), Windows XP (w), ElsaLancom (l) and Snort (s) formats. Theinstall is a simple make && make install&& make install-config process. BorisWesslowski has packages for Red HatLinux and Debian on the Fwlogwatchhomepage.Admins can configure FWlogwatch’sbehavior using the configuration file,which has extremely informativecomments. You can also configureFWlogwatch via the command line. Themanpage explains the options. For example,the following command launchesFWlogwatch in summary mode:fwlogwatch -b -Pn -U U'Spenneberg.Com'-p -n -N -o Uoutput.html -t -w U/var/log/messagesThe -Pn option enables the Netfilterparser. -U allows the user to specify aheading for the summary. The -o optionspecifies the output file; -w stipulatesHTML output. -n and -N enable nameresolution for hosts and services. Theresult is an HTML-formatted summary ofthe firewall logfiles.Quick ResponseThe option of running FWlogwatch inrealtime mode allows admins to react tologfile messages and simultaneously displaysthe current status in a browserwindow. FWlogwatch runs in the backgroundas a daemon and monitors thelogfile, reparsing the configuration file ifit receives a SIGHUP. SIGUSR1 tells thedaemon to reopen the logfile. This featureis useful for rotating logfiles, forexample.Administrators can specify thresholdvalues that define when FWlogwatchwill react to logfile messages by launchingalerts or response scripts. There aretwo important configuration options:recent (-l) defines the period of time tomonitor, and alert_threshold (-a) definesthe number of events within this timescope needed to trigger a response. Listing3 shows a sample configuration. Theexample configures FWlogwatch for realtimemode with the Netfilter parser. Theprocess runs under the user IDfwloguser.If the threshold of five connections in600 seconds is exceeded, Fwlogwatchperforms a customizable action. Fwlogwatchsets up a web server on 127.0.0.1:8888, where a user ralf can log inwith a password of password. FWlogwatchuses DES-encrypted passwords,which you can generate by typinghtpasswd -nb user password. When theuser logs in to this page, the view shownin Figure 4 appears. This page leads toother pages with a wide range ofbrowser-based Fwlogwatch configurationoptions (Figure 5).ChoicesFWlogwatch has an enormous range offeatures, from a simple summary to arealtime mode with customizableresponses. But the other tools we discussedin this article are well worthconsidering also. If you need powerfulfiltering, WFlogs may be a better optionfor your network. The IPtables Log Analyzeris an interesting choice for somesituations because of its database support.The IPTables Log Analyzer givessystem administrators the option ofusing SQL statements to search throughfirewall messages, rather than having tolaunch their searches from a web frontend.■INFO[1] IPtables Log Analyzer:http://www.gege.org/iptables/[2] Wallfire project (WFlogs und WFnetobjs):http://www.wallfire.org[3] FWlogwatch:http://fwlogwatch.inside-security.de[4] Ulogd:http://gnumonks.org/projects/ulogd[5] Ulogd PHP: http://www.inl.fr/download/ulog-php.html[6] Shorewall firewall:http://shorewall.sourceforge.net[7] Suse firewall: http://www.suse.de/en/business/products/suse_business/firewall/[8] WFlogs, Debian Woody packages:http://people.debian.org/~kelbert/[9] GNU adns: http://www.chiark.greenend.org.uk/~ian/adns/Figure 4: The integrated FWlogwatch web serverallows admins to monitor the current status ofthe firewall.Figure 5: Admins can use a browser to configureFWlogwatch. The Alert Threshold specifies thenumber of messages needed to trigger theFWlogwatch response.THE AUTHORRalf Spenneberg is afreelance Unix/Linuxtrainer and author.Last year saw therelease of his firstbook:“IntrusionDetection Systems forLinux Servers”. Ralfhas also developed various trainingmaterials.32 January 2005 www.linux-magazine.com

More magazines by this user
Similar magazines