I recently received a node, and implemented my iptables firewall, and was overwhelmed by the amount of scanning and probing of my IP. the kernel.logs are getting full quick!

I am capable of reading and understanding the logs, but was wondering if anyone has a good suggestion of a software that compiles it together, and generates a nice summary or, preferably, some type of graphical analysis of what people are looking for, and who and where they are connecting from.

Anyone have a solution that they like and could recommend? I see Gentoo (my distribution) has an emerge for fwlogwatch- Anyone have any experiences with that?

It would be cool if we had a kernel with the TARPIT target. It is helpful in slowing down the script kiddies.

You may want to check out snort.

I've never used one of these tools, but here is what I found googling and searching on freshmeat.net:

http://freshmeat.net/projects/netfilter_log_analyzer/
http://freshmeat.net/projects/netfilter2html/
http://freshmeat.net/projects/lire/
http://freshmeat.net/projects/fwanalog/
http://freshmeat.net/projects/logrep/

Let us know how it goes.

-Chris

ACID (Analysis Console for Intrusion Databases) is a good tool too that works along with snort (mentioned earlier) to make sense of the madness...

http://www.andrew.cmu.edu/user/rdanyliw ... tacid.html

Then get swatch to text message you every time a Sasser worm probes - you won't get any sleep all night...

I use Snort with ACID at home and also at work. So does my roommate.

We've found that Snort is a powerful analysis tool but also resource intensive. To use ACID, you'll have to have Snort report to a SQL database. Depending on how much you're logging and how well you've tuned your ruleset, your SQL database can become enormous. Pulling data from a SQL database from a linode would probably tax a connection, but I'm just guessing at this. Snort can be configured a multitude of ways. Snort could log to a database that is on a machine that's in your home, but again, this will probably hog bandwidth. I don't know what's worst in this case: using a bandwidth-intensive tool or logging tons of data to a database then accessing that database from a remote location. Trimming down your Snort install's ruleset will keep alerts down to a manageable level...also, the latest Snort version has threshholding.

There's a script that you can use with Snort: SnortSnarf. You can have Snort report to a log file instead of a database, then have SnortSnarf parse the log, letting it create HTML pages for you to view from a web server.

Just throwing you a few ideas. Snort may work for you...and it has tons of add-ons that can be used to enhance it.

I use Snort has an IDS with very good results. I also run portsentry, which is basically a port scan detector but also automatically blocks the IP address when it detects a port scan.

Do you run this on your Linode?