INSPECTOR
DESCRIPTION
If you watched the logs on your Linux system, which has some
enabled network service such as ssh, ftp and / or http, you should
have found records in the form:
HTTPd:
IP1 - - [03/Sep/2013:02:30:12 -0300] "GET http://algum.site.net/azenv.php HTTP/1.1" 404 207
IP2 - - [04/Sep/2013:07:03:17 -0300] "GET /vtigercrm/graph.php?current_language=../..
/../../../../../..//etc/elastix.conf%00&module=Accounts&ction HTTP/1.1" 304
SSH:
Sep 2 07:52:59 torrinha sshd[24901]: Did not receive identification string from IP3
Sep 3 15:01:23 torrinha sshd[13413]: Failed password for root from IP4 port 45170 ssh2
Sep 4 04:15:30 torrinha sshd[18357]: Failed password for invalid user test from IP5 port 49618 ssh2
POP3:
Sep 1 21:13:47 torrinha pop3d: LOGIN FAILED, user=www, ip=[IP5]
What are these records?
In the first HTTPd log record indicates a test proxy HTTPd, when
misconfigured, the feature would allow access to other websites
or services (mainly SMTP) through your machine. The second
record is an example of vulnerability testing software
VTIGER
used in e-mail marketing, where you can capture the
credentials/emails of internal list.
In SSH Log, the first indicates that the IP3 did a scanning in
your system in search of some service to explore. The second
record, IP4 tried privileged account (root). The third
record is characteristic of brute-force attack, where someone
is testing several credentials.
The POP3 log has an access attempt to guess passwords and
user credentials.
How do you see all those records are malicious actions. They are
not records of friendly visitors.
The question is
"how to avoid those actions" if
those services should remain active?
In personal safety, is "politically correct" to avoid any
confrontation with marginal. However, security personnel held
by professionals, the target should be prepared for their safeguard.
IT is no different, and one should accept two recommendations, namely:
avoid confrontation and keep the service active using self-defense.
When the application does not provide such appeal then one must
seek alternative support using other products.
One solution is an application that monitors the events recorded,
taking the service target out of reach of the attacker. That is
exactly what INSPECTOR does.
Inspector is a simple script that parses the log linux system in
short time intervals (seconds), seeking records of malicious
actions, such as scanning and attempts password guesses in
networking applications that present any authentication.
By finding such "signatures" the aggressor has IP access blocked
immediately via IPTABLES. Means aids such as NetIptables can also
be activated.
The code was written in bash, and is available for download at:
Inspector.tar.gz
INSTALLATION
The tar ball contains the directory structure of the system where
files contained there should be copied.
directory /etc
Inspector.whtlist file contains the IP addresses of reliable
systems. The syntax is simple and consists only of the IP address.
directory /etc/init.d
Contains the file 'inspector' that starts as a service,
considering Linux distributions based on System V (redhat,
OpenMandriva, Suse, etc.). For other systems derived from BSD
(FreeBSD, OpenBSD, Debian, Ubuntu, etc.) must include the command
of execution of the service, at rc.local:
/usr/sbin/Inspector.sh - &
directory /usr/sbin
In the /usr/sbin contains the code Inspector.sh, written in bash,
which can be adjusted for your system.
The adjustment will depend on the services running and which you
wish to monitor. For that you must watch the record syntax and
update the search patterns.
directory /usr/share/doc/Inspector
Contains these instructions in text format, inserted in the
README file.
CONFIGURATION
Opening the file /usr/sbin/Inspector.sh you will find the global
variable
UPDLSTF, with the attribution:
UPDLSTF=/var/www/html/inspector/listaIp.txt
When UPDLSTF is defined Inspector.sh creates the file containing
all the IP addresses that were blocked. By default, that file
will be available in the default directory of pages HTTPd for
download. Exposing it, you can help and warn others about
compromised systems.
If UPDLSTF="" then the list will not be created.
The waiting period for monitoring is 2 seconds. period
variable is defined by
SLP.
The Inspector creates its own log file in the location defined
by the variable
LOGFILE. The set value is
/var/log/Inspector.log
In order to maintain table blocks between boots, the Inspector.sh
calls the application iptables-save. The output of that
application is redirected to the file /etc/sysconfig/iptables.
RUNNING INSPECTOR AT FOREGROUND
The Inspector.sh, located in /usr/sbin/ can run as interactive
mode. You can command /usr/sbin/Inspector.sh [-h | help |-help]
for further information.
RATING
Any questions? Contact GURI!