Logging and Monitoring

2 min read Web Security Fundamentals

Logging and Monitoring

Effective firewall management requires comprehensive logging and monitoring. Both iptables and UFW provide logging capabilities, but configuring them appropriately ensures you capture security-relevant events without overwhelming your system with log data.

Configure iptables logging:

# Create a logging chain
sudo iptables -N LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables-dropped: " --log-level 4
sudo iptables -A LOGGING -j DROP

# Send dropped packets to logging chain
sudo iptables -A INPUT -j LOGGING

UFW logging configuration:

# Set logging level (off, low, medium, high, full)
sudo ufw logging medium

# View UFW logs
sudo tail -f /var/log/ufw.log

# Parse logs for security events
grep "BLOCK" /var/log/ufw.log | awk '{print $NF}' | sort | uniq -c | sort -nr

Implement log analysis scripts:

#!/bin/bash
# Analyze firewall logs for suspicious activity

# Find top blocked IPs
echo "Top 10 Blocked IPs:"
grep "DPT=80\|DPT=443" /var/log/syslog | grep -oE 'SRC=[0-9.]+' | cut -d= -f2 | sort | uniq -c | sort -nr | head -10

# Detect port scanning
echo "Potential Port Scans:"
grep "DPT=" /var/log/syslog | grep -oE 'SRC=[0-9.]+' | cut -d= -f2 | sort | uniq -c | awk '$1 > 20 {print $2 " - " $1 " attempts"}'