[Efw-user] Logwatch summary doesn't match firewall log

Mon, 21 May 2018 15:17:53 -0700 

I'm trying to reconcile a discrepancy in the logwatch summary with the
contents of the /var/log/firewall log file.

 

The summary (below) shows 32 packets dropped but the firewall log file
(5.8MB) has 27,822 lines (3,242 for port 3389). I can provide the .log file
if needed. Why doesn't the logwatch show thousands of dropped packets?

 

If the summary isn't looking at the firewall log, what is it looking at? How
can I feed the firewall.log file into logwatch to get a proper summary?

 

We were being attacked at a fairly high rate on port 3389 and the internal
systems the ports forwarded to were suffering (we have a /29 block of
addresses). I have temporarily turned off the port forwards so now the
firewall is blocking the traffic. I'm trying to determine the best solution
for blocking the unwanted attacks at the firewall while still allowing the
legitimate users access to the systems.

 

################### Logwatch 7.3.6 (05/19/07) #################### 

        Processing Initiated: Mon May 21 01:25:02 2018

       Date Range Processed: yesterday

                              ( 2018-May-20 )

                              Period is day.

      Detail Level of Output: 0

              Type of Output: unformatted

           Logfiles for Host: wscfw.westsidecares.local

################################################################## 

 --------------------- iptables firewall Begin ------------------------ 

 

Listed by source hosts:

 

Dropped 32 packets on interface eth1

   From 10.1.10.1 - 3 packets to igmp(0) 

   From 23.23.241.229 - 2 packets to tcp(3389) 

   From 23.24.132.201 - 1 packet to tcp(23) 

   From 23.24.142.198 - 2 packets to igmp(0) 

   From 46.174.191.29 - 1 packet to tcp(8080) 

   From 49.51.85.194 - 2 packets to tcp(3389) 

   From 51.15.146.248 - 3 packets to tcp(3389) 

   From 90.151.207.87 - 1 packet to tcp(23) 

   From 107.155.164.102 - 2 packets to tcp(8141,8802) 

   From 113.197.36.89 - 1 packet to tcp(3389) 

   From 129.205.143.58 - 1 packet to tcp(23) 

   From 139.60.160.173 - 2 packets to tcp(3389) 

   From 162.244.34.113 - 1 packet to tcp(3389) 

   From 185.244.25.136 - 1 packet to udp(53413) 

   From 195.29.61.46 - 3 packets to tcp(3389) 

   From 200.116.108.65 - 1 packet to tcp(3389) 

   From 212.129.41.52 - 1 packet to tcp(22) 

   From 212.154.6.104 - 1 packet to tcp(23) 

   From 218.204.51.186 - 3 packets to tcp(3389) 

 

 ---------------------- iptables firewall End ------------------------- 

 ###################### Logwatch End ######################### 

 

 

 

 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user

Reply via email to