GURI SoftHouse
Desenvolvimento de Sistemas e
Consultoria em Informática
INSPECTOR
DESCRIPTION
If you watched the logs on your Linux system, which has some enabled network service such as ssh, ftp and / or http, you should have found records in the form:
HTTPd:
IP1 - - [03/Sep/2013:02:30:12 -0300] "GET http://algum.site.net/azenv.php HTTP/1.1" 404 207
IP2 - - [04/Sep/2013:07:03:17 -0300] "GET /vtigercrm/graph.php?current_language=../..
/../../../../../..//etc/elastix.conf%00&module=Accounts&ction HTTP/1.1" 304
SSH:
Sep 2 07:52:59 torrinha sshd[24901]: Did not receive identification string from IP3
Sep 3 15:01:23 torrinha sshd[13413]: Failed password for root from IP4 port 45170 ssh2
Sep 4 04:15:30 torrinha sshd[18357]: Failed password for invalid user test from IP5 port 49618 ssh2
POP3:
Sep 1 21:13:47 torrinha pop3d: LOGIN FAILED, user=www, ip=[IP5]
What are these records?
In the first HTTPd log record indicates a test proxy HTTPd, when misconfigured, the feature would allow access to other websites or services (mainly SMTP) through your machine. The second record is an example of vulnerability testing software VTIGER used in e-mail marketing, where you can capture the credentials/emails of internal list.
In SSH Log, the first indicates that the IP3 did a scanning in your system in search of some service to explore. The second record, IP4 tried privileged account (root). The third record is characteristic of brute-force attack, where someone is testing several credentials.
The POP3 log has an access attempt to guess passwords and user credentials.
How do you see all those records are malicious actions. They are not records of friendly visitors.
The question is "how to avoid those actions" if those services should remain active?
In personal safety, is "politically correct" to avoid any confrontation with marginal. However, security personnel held by professionals, the target should be prepared for their safeguard. IT is no different, and one should accept two recommendations, namely: avoid confrontation and keep the service active using self-defense. When the application does not provide such appeal then one must seek alternative support using other products.
One solution is an application that monitors the events recorded, taking the service target out of reach of the attacker. That is exactly what INSPECTOR does.
Inspector is a simple script that parses the log linux system in short time intervals (seconds), seeking records of malicious actions, such as scanning and attempts password guesses in networking applications that present any authentication.
By finding such "signatures" the aggressor has IP access blocked immediately via IPTABLES. Means aids such as NetIptables can also be activated.
The code was written in bash, and is available for download at:
Inspector.tar.gz
INSTALLATION
The tar ball contains the directory structure of the system where files contained there should be copied.directory /etc
Inspector.whtlist file contains the IP addresses of reliable systems. The syntax is simple and consists only of the IP address.
directory /etc/init.d
Contains the file 'inspector' that starts as a service, considering Linux distributions based on System V (redhat, OpenMandriva, Suse, etc.). For other systems derived from BSD (FreeBSD, OpenBSD, Debian, Ubuntu, etc.) must include the command of execution of the service, at rc.local:
/usr/sbin/Inspector.sh - &
directory /usr/sbin
In the /usr/sbin contains the code Inspector.sh, written in bash, which can be adjusted for your system.
The adjustment will depend on the services running and which you wish to monitor. For that you must watch the record syntax and update the search patterns.
directory /usr/share/doc/Inspector
Contains these instructions in text format, inserted in the README file.
CONFIGURATION
Opening the file /usr/sbin/Inspector.sh you will find the global variable UPDLSTF, with the attribution:UPDLSTF=/var/www/html/inspector/listaIp.txt
When UPDLSTF is defined Inspector.sh creates the file containing all the IP addresses that were blocked. By default, that file will be available in the default directory of pages HTTPd for download. Exposing it, you can help and warn others about compromised systems.
If UPDLSTF="" then the list will not be created.
The waiting period for monitoring is 2 seconds. period variable is defined by SLP.
The Inspector creates its own log file in the location defined by the variable LOGFILE. The set value is /var/log/Inspector.log
In order to maintain table blocks between boots, the Inspector.sh calls the application iptables-save. The output of that application is redirected to the file /etc/sysconfig/iptables.