I enabled UFW on an Ubuntu server recently and started getting all manner of stuff in my logwatch reports. It activated a section called 'iptables' and started logging every line in syslog with [UFW BLOCK] in it. It was marginally interesting, but not really worth the space devoted to it, so I decided to write a little script to parse the UFW log and summarise the top Blocked Hosts and top Blocked Ports. Therefore I could easily see if there was a change in pattern.<\/p>\n\n\n\n\n\n\n\n
Turns out one of the hardest things to do was to turn off the iptables report. My setup on Ubuntu (your mileage may vary with other distros) was just to put all the config into \/etc\/logwatch\/conf\/override.conf. Changing MailTo, MailFrom etc in that file worked fine. But apparently the commands to turn off reports don't work in that file, so the first thing I had to do was to create a new \/etc\/logwatch\/conf\/logwatch.conf file by copying it from the default directory, and adding my config items from override.conf to it.<\/p>\n\n\n\n
cp \/usr\/share\/logwatch\/default.conf\/logwatch.conf \/etc\/logwatch\/conf\/\nnano logwatch.conf<\/code><\/pre>\n\n\n\nThe magic line you need to add is:<\/p>\n\n\n\n
Service = \"-iptables\"<\/code><\/pre>\n\n\n\n– the minus sign turns it off, which I suppose makes sense.<\/p>\n\n\n\n
OK now the big iptables report is gone, we need to write a quick bash script to run through \/var\/log\/syslog (or ufw.log) and throw out some info. You can apparently write logwatch scripts in any language – php, shell, perl etc – as long as they put out something to standard output: whatever they output to the terminal in other words.<\/p>\n\n\n\n
So here's what I came up with. Not elegant, but it works. If you copy it from this page, make sure you swap curly quotes for straight ones:
<\/p>\n\n\n\n
#!\/bin\/bash\n# UFW log analyser\n\nLOGFILE=\/var\/log\/syslog\nFROMDATE=$(date --date=\"1 day ago\" +\"%b %_d %H\")\nFROMLINE=$(grep -n \"${FROMDATE}\" ${LOGFILE} | head -n 1 | awk 'BEGIN { FS = \":\" } { print $1 }')\n\n# Need to catch it if there are less than 24 hours of logs, and analyse the whole file.\nif [ -z \"${FROMLINE}\" ] ; then\nFROMDATE=`head -n 1 ${LOGFILE} | awk '{ print $1 \" \" $2 \" \"$3}'`\nFROMLINE=1\nfi\n\nTOTALEVENTS=`tail -n +${FROMLINE} ${LOGFILE} | grep \"UFW BLOCK\" | wc -l`\necho \"==== Processing ${LOGFILE} ======\"\necho \"Starting Date = ${FROMDATE}:00 (Line ${FROMLINE})\"\necho \"Total Events = ${TOTALEVENTS}\"\necho\necho \"==== 20 Commonest Ports Blocked ============\"\necho \" Tries Port\"\ntail -n +${FROMLINE} ${LOGFILE} | grep \"UFW BLOCK\" | sed 's\/.*DPT=\/\/' | sed 's\/ WINDOW=.*\/\/' | sed 's\/ LEN=.*\/\/' | sort -n | uniq -c | sort -nr | head -n 20\necho\necho \"==== 20 Commonest Hosts Blocked ============\"\necho \" Tries Host\"\ntail -n +${FROMLINE} ${LOGFILE} | grep \"UFW BLOCK\" | sed 's\/.*SRC=\/\/' | sed 's\/ DST=.*\/\/' | sort -n | uniq -c | sort -nr | head -n 20<\/code><\/pre>\n\n\n\nThe script itself goes in \/etc\/logwatch\/scripts\/services\/ufw, And you'll need to chmod 750 it to make it executable.<\/p>\n\n\n\n
You also need a tiny conf file in \/etc\/logwatc\/conf\/services\/ufw.conf<\/p>\n\n\n\n
Title = \"UFW Summary\"\nLogfile = NONE<\/code><\/pre>\n\n\n\nSo that just about does it. The output looks something like this<\/p>\n\n\n\n
==== Processing \/var\/log\/syslog ======\nStarting Date = Feb 14 06:43:32:00 (Line 1)\nTotal Events = 105\n\n==== 20 Commonest Ports Blocked ============\nTries Port\n18 1433\n14 58996\n10 3389\n9 3306\n7 5900\n7 23\n7 1080\n5 8080\n4 5060\n3 53\n3 4899\n3 22\n3 135\n2 808\n1 8888\n1 8443\n1 8081\n1 8000\n1 6060\n1 3129\n\n==== 20 Commonest Hosts Blocked ============\nTries Host\n8 93.174.88.31\n7 58.3.0.55\n7 121.110.99.31\n6 88.225.226.167\n4 220.249.99.147\n4 168.93.190.169\n3 62.249.146.46\n3 183.60.130.110\n2 92.243.110.235\n2 85.17.250.197\n2 60.28.255.179\n2 60.191.153.156\n2 54.241.54.66\n2 222.186.15.32\n2 205.204.85.97\n2 198.136.26.81\n2 189.2.20.70\n1 98.143.37.104\n1 94.102.49.213\n1 88.253.217.111<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"I enabled UFW on an Ubuntu server recently and started getting all manner of stuff in my logwatch reports. It activated a section called 'iptables' and started logging every line in syslog with [UFW BLOCK] in it. It was marginally interesting, but not really worth the space devoted to it, so I decided to write … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-266","post","type-post","status-publish","format-standard","hentry","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/comments?post=266"}],"version-history":[{"count":0,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/266\/revisions"}],"wp:attachment":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/media?parent=266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/categories?post=266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/tags?post=266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}