Firewall, Monitoring - Revision history

Jimbo: Reverted edits by 173.88.199.104 (talk) to last revision by Jimbo

2012-08-25T22:09:10Z

Reverted edits by 173.88.199.104 (talk) to last revision by Jimbo

Show changes

173.88.199.104: Blanked the page

2012-08-13T18:50:01Z

Blanked the page

Show changes

173.88.199.104 at 17:47, 13 August 2012

2012-08-13T17:47:52Z

Jimbo at 21:36, 21 June 2007

2007-06-21T21:36:15Z

Dave at 15:05, 12 December 2005

2005-12-12T15:05:51Z

Jimbo: prettification, moved logfile permissions gotcha caveat from discussion page to main article

2005-07-18T09:40:14Z

prettification, moved logfile permissions gotcha caveat from discussion page to main article

Jimbo: moving caveat about log permissions to main article

2005-07-18T09:38:14Z

moving caveat about log permissions to main article

Jimbo: added nowiki tag to fix errors in script display

2005-03-17T05:00:31Z

added nowiki tag to fix errors in script display

Jimbo at 00:30, 15 November 2004

2004-11-15T00:30:10Z

Jimbo at 00:52, 14 November 2004

2004-11-14T00:52:32Z

← Older revision		Revision as of 17:47, 13 August 2012
Line 247:		Line 247:
	}</nowiki>		}</nowiki>

−	~~[[Category:Common Tasks]]~~
	[[Category: Securing FreeBSD]]		[[Category: Securing FreeBSD]]
−	~~[[Category:Firewall]]~~

← Older revision		Revision as of 21:36, 21 June 2007
Line 249:		Line 249:
	[[Category:Common Tasks]]		[[Category:Common Tasks]]
	[[Category: Securing FreeBSD]]		[[Category: Securing FreeBSD]]
		+	[[Category:Firewall]]

← Older revision		Revision as of 15:05, 12 December 2005
Line 248:		Line 248:

	[[Category:Common Tasks]]		[[Category:Common Tasks]]
		+	[[Category: Securing FreeBSD]]

@@ Line 1: / Line 1: @@
 I wrote myself a handy little CGI application in Perl to let me monitor my [[ipfw]] firewall from a web browser.  It uses (optional) reverse DNS host lookups for the source IPs of the things you're logging, (optional) service lookups from [[ /etc/services]] for the destination port numbers, and (optional) service override lookups for things that you want to look different in the firewall than in /etc/services.  (I personally like to put attack types and such in the overrides file, WITHOUT necessarily winding up obliterating legitimate services that may also use that particular port in my /etc/services file.)
-You can specify alternate logfiles for it to read from the HTTP address, in the format http://youraddress/ipfwparser.cgi?logfile=/var/log/security.0.gz here, if you like.  Don't sweat GZIPped or BZIP2ed logs; as long as you make sure that the locations of [[gzcat]] and [[bzcat]] specified in the config section are correct (and that you are using .gz and .bz2 extensions on any compressed logfiles), it'll handle the compressed logs transparently.
+You can specify alternate logfiles for it to read from the HTTP address, in the format '''<nowiki>http://youraddress/ipfwparser.cgi?logfile=/var/log/security.0.gz</nowiki>''' here, if you like.  Don't sweat GZIPped or BZIP2ed logs; as long as you make sure that the locations of [[gzcat]] and [[bzcat]] specified in the config section are correct (and that you are using .gz and .bz2 extensions on any compressed logfiles), it'll handle the compressed logs transparently.
 One common "gotcha" to remember: if you want this to work from a web browser, you'll need to make sure that your firewall log is readable from the user context of your webserver (in most cases, the user 'www').  Usually you'll want to do this by [[chmod]]ding /var/log/security to 644 - and don't forget to change the value in [[/etc/newsyslog.conf]] as well, or it'll be overwritten the first time your logs rotate!

← Older revision		Revision as of 09:38, 18 July 2005
Line 2:		Line 2:

	You can specify alternate logfiles for it to read from the HTTP address, in the format http://youraddress/ipfwparser.cgi?logfile=/var/log/security.0.gz here, if you like. Don't sweat GZIPped or BZIP2ed logs; as long as you make sure that the locations of [[gzcat]] and [[bzcat]] specified in the config section are correct (and that you are using .gz and .bz2 extensions on any compressed logfiles), it'll handle the compressed logs transparently.		You can specify alternate logfiles for it to read from the HTTP address, in the format http://youraddress/ipfwparser.cgi?logfile=/var/log/security.0.gz here, if you like. Don't sweat GZIPped or BZIP2ed logs; as long as you make sure that the locations of [[gzcat]] and [[bzcat]] specified in the config section are correct (and that you are using .gz and .bz2 extensions on any compressed logfiles), it'll handle the compressed logs transparently.
		+
		+	One common "gotcha" to remember: if you want this to work from a web browser, you'll need to make sure that your firewall log is readable from the user context of your webserver (in most cases, the user 'www'). Usually you'll want to do this by [[chmod]]ding /var/log/security to 644 - and don't forget to change the value in [[/etc/newsyslog.conf]] as well, or it'll be overwritten the first time your logs rotate!

	<nowiki>#! /usr/bin/perl		<nowiki>#! /usr/bin/perl

@@ Line 3: / Line 3: @@
 You can specify alternate logfiles for it to read from the HTTP address, in the format http://youraddress/ipfwparser.cgi?logfile=/var/log/security.0.gz here, if you like.  Don't sweat GZIPped or BZIP2ed logs; as long as you make sure that the locations of [[gzcat]] and [[bzcat]] specified in the config section are correct (and that you are using .gz and .bz2 extensions on any compressed logfiles), it'll handle the compressed logs transparently.
-  #! /usr/bin/perl
+  <nowiki>#! /usr/bin/perl
   ##
@@ Line 243: / Line 243: @@
     return scalar(@in);
+  }</nowiki>
 [[Category:Common Tasks]]

@@ Line 61: / Line 61: @@
   foreach (&lt;FH>) {
           chomp();
-          @templine = split (/ /, $_);
+          @templine = split (/\s+/, $_);
           # datestamp

← Older revision		Revision as of 00:52, 14 November 2004
Line 244:		Line 244:
	return scalar(@in);		return scalar(@in);
	}		}
		+
		+	[[Category:Common Tasks]]