How I analyzed my firewall log file
Since quite some time now, I have been noticing a terrible lack of performance on my Macbook Pro. So yesterday I decided to enable a full firewall, thinking that maybe there was some intruder on my machine. Much to my surprise the logfile showed continuous attack to access some ports, especially 46585 (gtkam?). Hence I decided to notify the providers associated to the IPs that were recorded responsible for the attacks. Since it is a rather long and cumbersome process, I will now here give the few command lines that help a bit in selecting which IPs to investigate further.
I am assuming the format of the logfile is the one produced on the Mac OSX, namely an entry line looks like:
Jul 16 17:16:49 supersoulfighter Firewall[264]: Deny vnetd connecting from 212.181.162.139:58547 to port 42048 proto=6 Jul 16 17:48:46 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 129.16.225.20:34559
I also decided to only address the Stealth Mode connection attempt, hence I select only those lines out of the logfile with a simple grep:
grep Stealth appfirewall.log > stealth.text
Next you may sort the file so all the same IPs are bundled together:
sort --key=10.1 stealth.text > stealth_sorted.text
If you want to just see the IPs displayed once, you run
uniq -c -s 110 stealth_sorted.text > uniq_stealth_sorted.text
where the number of occurrences of the same IPs appears as the first digit in each line, if you sort it, you get the rankings of the attackers. In my case, from this morning's log, those with highest hits:
31 Jul 16 18:33:09 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 85.210.46.84:4930 37 Jul 16 17:09:12 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 129.16.225.20:34559 40 Jul 16 17:09:54 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 89.27.96.242:3346 41 Jul 16 17:16:34 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 37.14.115.113:11166 42 Jul 16 17:09:25 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 82.181.65.254:20585 42 Jul 16 17:15:01 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 128.214.170.37:34661 43 Jul 16 17:12:17 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 83.34.225.54:13826 44 Jul 16 17:15:13 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 88.71.231.170:2657 45 Jul 16 18:03:42 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:49262 from 192.168.1.1:53 51 Jul 16 17:15:40 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 93.222.195.3:63810
My next step would be to run whois on those IPs and notify the abuse e-mail contact of misbehavior, hoping that measures are taken to prevent misusage of the Net.
- olga.caprotti's blog
- Login to post comments
The views expressed in this blog are personal and do not in any way reflect the view of the MOLTO Consortium
What links here
No backlinks found.
