| |
| |
| |
|
Comments:
<0> Greetings.
<0> ISD enhancement written in awk: http://code.google.com/p/logcop/
<0> We have it in production in several places. I thought you guys may like to check it out.
<0> We're in the process of documenting how to start it/run it, etc.
<1> neat :)
<0> paul: It works great.
<0> paul: If you manage any servers with SSH open, you can probably see in the logs these huge lists of attacks by 'guessing' a valid user ID.
<0> paul: Or you can see people trying to fuss with HTTPS.
<2> or webdav
<0> paul: So LogCop has rules for dealing with those, then banning them using a packet firewall rule. Easy.
<0> iSteve: Yup.
<0> iSteve: Our next version will have 'pluggable' modules.
<2> wouldn't it be a bit... more direct
<2> (while acknolwedging your effort)
<2> to write filters for syslog that will filter these out?
<2> so that you could process them easily
<0> iSteve: Right now all the rules are in the logcop.awk file; in the future the rules will be included with awk -f rule1.awk - and so on.
<0> iSteve: That's what this does.
<2> btw, mawk or gawk?
<0> iSteve: /usr/local/bin/logcop < /var/log/syslog
<2> that is not what I meant
<0> iSteve: gawk and whatever ships with Sun and *BSD.
<2> I meant internal filtering of syslog, especially syslog-ng is quite good at that
<0> iSteve: Ah.
<0> iSteve: Yeah, that'd work too.
<2> ah... mawk is a definite no go?
<0> iSteve: I haven't tested it.
<2> I'm pushing application of mawk on embedded devices for other reasons
<0> iSteve: Ah.
<0> iSteve: I guess it should work then. There's nothing in there that's gawk-specific.
<1> pr3d4t0r: yep i do.
<2> (it's far smaller and faster than mawk)
<2> s/mawk/gawk/
<1> pr3d4t0r: though, on Linux machines I use the 'ipt_recent' thingy to block them
<0> iSteve: My OS X machines are running: awk version 20040207
<0> paul: Ah.
<1> pr3d4t0r: you should add a tcp_wrappers mode.
<1> more portable
<0> paul: I might.
<0> paul: This is something I threw together one afternoon, then refined it, then put it in production. A few friends dug it, etc. so we decided to make it an open project.
<0> paul: I'm taking notes of everything you and iSteve are saying. Might as well enhance it.
<1> :)
<0> iSteve: Would I want to replace gawk/awk with mawk? Is there documentation beyond Mike's FTP site, like a home page somewhere?
<1> pr3d4t0r: btw, on Solaris you almost certainly want to use nawk rather than awk.
<2> pr3d4t0r: I don't know, man mawk is all I ever needed
<1> s/nawk/\0 or gawk or .../
<0> iSteve: I just read the man page. LogCop should work just fine with it.
<2> mhm
<0> paul: OKi - will do.
<0> paul: I know it's working as-is.
<0> paul: The portability issues aren't awk-related. They're packet firewall related: ipfw vs. iptables vs. if vs. etc.
<1> pr3d4t0r: right, and tcp_wrappers would help there..
<0> paul: Yeah.
<0> paul: But then you'd have to install tcp_wrappers. Not all systems come with it.
<1> hmm, which don't? :)
<0> paul: Wait - I'm thinking of daemon tools.
<0> paul: You're right.
<2> well, come to think of it... my development distro (where I tried out various hacks) doesn't have hosts.allow/deny :)
<2> otoh, it's oficially a live cd, so nobody will care
<0> paul: We like the packet firewall approach because you can flush or change rules, or create redirects to a honeypot, etc.
<1> pr3d4t0r: I think Ultrix doesn't ship with it..
<0> paul: Let me see if Solaris ships with it.
<0> paul: Yeah, there it is.
<0> paul: Hrm... good idea.
<0> paul: I'll sleep on that one. Banning using the firewall has a nice side-effect: if the attacker is running several parallel threads, it'll freeze the connections that are in progress once the rule is applied.
<0> paul: A beautiful thing.
<0> paul: The remote system will just sit there until it times out, slowing the attacker a bit.
<0> Ah, Drop.
<3> how do i make a simple search and replace through a file? lets ay i want to replace all occuranses of /foo/bar with /alpha/bravo
<4> andriijas: http://www.student.northpark.edu/pemente/awk/awk1line.txt
<3> gnubien: i dont find any that would be in use for me :o
<2> pr3d4t0r: I'll gladly look at the system, but I'll probably wait for at least some docs
<2> (in the meantime, checking out the repo)
<2> heh
<2> it does look fairly trivial atm
<0> iSteve: Heh.
<0> iSteve: Yeah, it's not brain surgery. Very simple, yet powerful. The real deal is defining the packet firewall rules.
<0> iSteve: I discussed using tcp_wrappers with kinabalu and at this time we still feel that using the firewall is a better choice.
<2> yea well
<2> I think you should have about a dozen of various tests at various logs before it'd be anyhow more used...
<2> especially http logs
<0> iSteve: Yeah.
<0> iSteve: That's next.
<2> + I suggest you create special chains in iptables (not familiar with ipfw etc.)
<2> ie. BLOCKED_SSH, BLOCKED_HTTP, BLOCKED_SMTP etc.
<2> to indicate from where the ip got blocked
<0> iSteve: We saw the number of SSH attacks go down by a factor of 100 once we put this in place, within a week.
<2> and p*** each ip through a chain which p***es it through this
<2> yea, I know
<0> iSteve: Yeah.
<2> I'm just trying to suggest that although neat, and I like it's written in awk, it still _yet_ lacks anything new in the field:)
<0> iSteve: Yeah.
<2> and don't ask me what the new thing should be, if I knew, I'd be coding it this very moment:}
<0> iSteve: We think of it as practical. I've seen similar things written in Perl that I won't use because they're so hard to maintain. The goal for this is to make it super-easy to maintain.
<0> iSteve: Indeed.
<0> iSteve: The next step for us is to come up with a good way to describe "modules" and to call them from the awk main LogCop script. So far each new rule is an addendum to the main file. It'd be better if we used awk -f file1.awk -f file2.awk ... and so on, where each file provides additional functionality.
<0> iSteve: Ditto for the OS-specific packet firewall calls. They don't all need to be in the main body of LogCop.
<2> how about just system(mod.awk); ?:}
<0> iSteve: Maybe.
<0> OKi, time to go north to get some eggs.
Return to
#awk
or
Go to some related
logs:
#gaim
netfilter-ha
iirc xchat2 gentoo
my.cnf bind multiple IPs
ubuntu default tty7
#kernel
python pdf2text
_OCINlsEnvironmentVariableGet
gaim va_copy
structure of ibubrophen
|
|