Five hours worth of
My host, undernets.me, has been up since Sunday, September 8th.
root@undernets:~# uptime 17:35:47 up 57 days, 1:53, 2 users, load average: 0.00, 0.00, 0.00
The oldest log entry I have is dated Sep 29 06:40:15 so presumably either a. I didn’t turn on
ufw until three weeks after I first spun up the instance or b.
ufw deletes rolled logs after a certain amount of time.
Most likely it’s the latter. Logs that pile up with being deleted would eventually consume all available storage space. A friend and mentor taught me best practice is to mount
/var in it’s own partition for that very reason.
The Dev Ops engineer who taught me what little I know about this stuff was always adamant that a public-facing host be locked down to the greatest extent possible. If you don’t need it, keep it closed. Since the exercise didn’t require anything other than the ability to
ssh remotely, the only port I opened up was 22.
root@undernets:~# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp (OpenSSH) ALLOW IN Anywhere 22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
Now that I think of it, I can’t recall whether port 22 was open by default on the Digital Ocean image. Or for that matter, whether
ufw was enabled by default.
There were roughly 125K
ufw.log entries so I pulled approximately five hours worth worth of data from the end of the oldest log, 857 entries in all.
I poked around online a bit to try and figure out how to pull logs from a remote host over an
ssh tunnel. The easiest solution I found was a nifty bit of command line wizardry from user Florian Fida on a Unix & Linux Stack Exchange post.
ssh email@example.com 'cat /var/ufw.log' > /Downloads/ufw.log
I’m fairly certain this only works because the logs are plain text files and in this circumstance
cat is reading the content of the log rather than dealing with actually file transfer. If they were binaries,
sftp would be in order. I doubt
cat would be of any use.
Once the logs were local, I cleaned them up replacing (most) spaces with commas, changed the file sufix to .csv, and imported the data into a Google Sheet.
For my IP geolocation data I signed up with IP2Location for a demo API key good for 5,000 credits. I opted for IP2Location in part because they provide a nifty Google Sheets add-on for pulling geolocation information directly into the sheet using a simple spreadsheet function. I also opted for IP2Location because I’m woefully inept when it comes to tapping into web APIs and as far as I can tell the the only easy way to utilize Ipinfo.io via web interface is one IP address at a time.