SME Pages wellsi.com


mnwclient for SME

27th December 2003 Ian Wells

What is mnwclient

This is a How-To for My NetWatchman which aggregates intrusion information and escalates this to the relevant ISP with some success.

In more simple terms it will monitor your firewall log and send details of denied packets to the My NetWatchman database. My NetWatchman collects information from over 1000 clients and escalates suspicious behaviour to the relevant ISP.

For more information see the vision.

Preparation

  1. Register on the My NetWatchman site

The registration is free and quick, via the registration page.

  • Download the Perl agent RPM

    Download the Perl agent from http://www.mynetwatchman.com/setup.asp
    The current RPM is mnwclient-1.12-1.noarch.rpm.

    Installation

    1. Install the RPM
    # rpm -Uvh mnwclient-1.12-1.noarch.rpm
    1. Make a link in /etc/rc7.d to start the client on startup
    # ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S86mnwclient
    1. Edit the configuration file /etc/mnwclient.rc using your favourite editor.
    # vi mnwclient.rc

    The following fields need to be changed

    login bob@null.net     Change this to your mnwclient login
    password sekret Change this to your mnwclient password
    interface ppp0 Change this to your external interface, eg eth1.
    If in doubt check /etc/init.d/masq for the constant OUTERIF
    1. Increase the firewall logging, as the client works on checking /var/log/messages
    #  /sbin/e-smith/db configuration setprop masq Logging most
    #  /sbin/e-smith/signal-event remoteaccess-update
    
    1. Start the service
    # /etc/init.d/mnwclient start

    Further Information

    The manual page can be found at /usr/doc/mnwclient-1.12/mnwclient.html

    mnwclient has its own log file, mnwclient.log, which you can see from the Server Manager.

    After a while you should see entries in /var/log/mnwclient.log like the one below

    Dec 22 15:02:50 mnwclient[8003]: upload 3 event(s) from 217.85.220.64:1917 to 80.6.38.142:81/tcp successful.

    SME 5.12

    This guide will work on SME 5.12 with one minor change, the chain must be specified in /etc/mnwclient.rc

    chain denylog