It is always a good idea , when implementing open source firewall implementations (iptables, pf, etc), to build in as much reporting and verbosity as possible.
Having verbose reports on the state of your firewall, intrusion attempts and other information is key to ensuring the health and integrity of your network.
Somewhere along the line, we wrote a script to provide daily reports on intrusion attempts to penetrate our network — this usually happens when someone exceeds certain connection thresholds.
It may not be the most informative data, but the script can be modified to provide other important statistical information. It can also be modified to be used with other firewall implementations. I’m certain it wouldn’t be hard to convert this script to utilise iptables.
Below you will find the script itself — it can be set to run daily as a cronjob perhaps. Also note that the script tries to resolve a hostname for the IP address to at least provide some quick & easy information to the security administrators when determining coordinated attacks or attacks coming from compromised systems.
#!/bin/bash
# SDH PFCTL Daily Hack Table check
yesterday1=`date -v -1d +"%b"`
yesterday2=`date -v -1d +"%e"`
yesterday_display=`date -v -1d +"%b %d %Y"`
echo "" > /var/log/tablecheck.log
/sbin/pfctl -vvsTables > /var/log/pfctltables.log
echo "Firewall Table Audit: " $yesterday_display >> /var/log/tablecheck.log
echo -e "----------------------------------">> /var/log/tablecheck.log
echo -e "" >> /var/log/tablecheck.log
for obj0 in $(cat /var/log/pfctltables.log | grep "-pa-r-" | awk -F "t" '{printf "%sn", $2}');
do
echo -e $obj0 "TABLE" >> /var/log/tablecheck.log
echo -e "--------------" >> /var/log/tablecheck.log
# this is because the date command outputs single digit non-aligned right, but pfctl doesnt display that way :(
if [ "$yesterday2" -le 9 ]
then
/sbin/pfctl -t $obj0 -Tshow -vv | grep -A 4 -B 1 "$yesterday1 $yesterday2" >> /var/log/tablecheck.log 2>&1
else
/sbin/pfctl -t $obj0 -Tshow -vv | grep -A 4 -B 1 "$yesterday1 $yesterday2" >> /var/log/tablecheck.log 2>&1
fi
if [ "$?" -eq 1 ]
then
echo -e "No values found for yesterday" >> /var/log/tablecheck.log
echo -e "" >> /var/log/tablecheck.log
else
echo -e "Hostnames :" >> /var/log/tablecheck.log
for obj1 in $(/sbin/pfctl -t $obj0 -Tshow -vv | grep -B 1 "$yesterday1 $yesterday2" | grep -v "Cleared" | grep -v "--");
do
iphostnm=`/usr/bin/nslookup $obj1 | grep -A1 "Non-authoritative answer" | grep "name" | awk -F "=" '{printf "%sn", $2}'`
if [ "$?" -eq 0 ]
then
echo -e "$obj1 / $iphostnm" >> /var/log/tablecheck.log
else
echo -e "$obj1 / No host name found" >> /var/log/tablecheck.log
fi
done
echo -e "" >> /var/log/tablecheck.log
fi
done
cat /var/log/tablecheck.log | mail -s "Firewall Table Report" you@youremail.com
Enjoy!
