27th December 2003 Ian Wells
This is a How-To for My NetWatchman
which aggregates intrusion information and escalates this to the relevant ISP with some success.
In more simple terms it will monitor your firewall log and send details of denied packets to the My NetWatchman database.
My NetWatchman collects information from over 1000 clients and escalates suspicious behaviour to the relevant ISP.
For more information see the vision.
The registration is free and quick, via the registration page.
Download the Perl agent from http://www.mynetwatchman.com/setup.asp
The current RPM is mnwclient-1.12-1.noarch.rpm.
# rpm -Uvh mnwclient-1.12-1.noarch.rpm
# ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S86mnwclient
# vi mnwclient.rc
The following fields need to be changed
login bob@null.net | Change this to your mnwclient login |
password sekret | Change this to your mnwclient password |
interface ppp0 | Change this to your external interface, eg eth1. |
If in doubt check /etc/init.d/masq for the constant OUTERIF |
# /sbin/e-smith/db configuration setprop masq Logging most # /sbin/e-smith/signal-event remoteaccess-update
# /etc/init.d/mnwclient start
The manual page can be found at /usr/doc/mnwclient-1.12/mnwclient.html
mnwclient has its own log file, mnwclient.log, which you can see from the Server Manager.
After a while you should see entries in /var/log/mnwclient.log like the one below
Dec 22 15:02:50 mnwclient[8003]: upload 3 event(s) from 217.85.220.64:1917 to 80.6.38.142:81/tcp successful.
This guide will work on SME 5.12 with one minor change, the chain must be specified in /etc/mnwclient.rc
chain denylog
Copyright © 2003 Ian Wells :
The original can be found from http://www.wellsi.com/sme :
Please send additions & corrections to me.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Text and no Back-Cover Text.
A copy of the GNU Free Documentation License is available from the Free Software Foundation at http://www.fsf.org/copyleft/fdl.html.