LinkedIn Sourceforge Twitter

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

Log2table to protect your machines from intrusions

Posted on 2017-05-27 20:41:00 from Vincent in Open Bsd

Log2table allows you to continuously monitor your logfiles. You can trigger actions when a specific message comes in your audited logfiles or when a specific number of occurences are present.


I've developed it as a simple Intrusion Detection System and to let away bad guys of my web servers. For example, those who are trying passwords on ssh, those who are trying cross site htpp requests, those who are looking for wp-admin.php, ...

The first match for such task was fail2ban. But I was facing some difficulties to configure it to my specific needs. After having developed a minimalist script (here), a reader of my blog has started to develop something around this idea (Vilain). After several changes of his code, he informs me that I'm deviating too much from his initial idea and inform me that he will no more merge my changes in his git repository. So I rename it log2table, mainly because this application build a link between logiles and firewall tables.

I've build log2tble to be as flexible as possible. It should be easy to adapt to other firewalls (iptable with ipset). It could eventually be configured to execute other tasks than add/remove IP from a firewall table.

The code is split in 4 parts:

  • the main loop: log2table.py
  • the rules: they should all be in rules.py
  • the parameters requested by the rules: parameters.py
  • the command file: cmd_.py

The last 3 files are available in /etc/log2table and can be adapted to your specific needs.

Rules are indenpendent of the logfiles you are tracking. Log2table consolidates the actions triggered by source IP. Indeed, a specific machine (source IP) could generate entries in your http log file, but also in your authlog file, or in your /var/log/messages file. Whatever this IP is doing on your machine will be tracked. You can imagine to apply the same rule for different actions in different logfiles. In such case you have what I call, a consolidation of actions; this will generate a consolidated repsonse.

For flexibility reasons, several parts of the program are available to the users in /etc/log2table by default. To adapt those config files a minimum set of skills of Python is required. Parameter.py is a simple Python dictionary where you can define which logfile you want to follow and which rule you want to trigger once the regex rule match a line in your tracked logfile. The rules are also available to the end-users in rules.py. Each classes in rules.py allow you to define the behavior to adopt when a line match your regular expression.

Currently I propose 2 rules. One, called Hacker, to ban unwanted connections. This rule adds the IP having performed an unwanted connection into an OpenBSD PF table. This rule remove those "bad IPs" after 1 hour at least. Inside my pf.conf file, I block all connections for IP contained in this table.

As example, here the rule I've added in my pf.conf file:

block in quick proto tcp from <bruteforce> to any

The other class in rules.py is called WifiTemp. This class registers each IP on their first connection by watching the dns.log file they are using (imagine they are forced to use this dns server). After 1 hour their IP is added in a PF table where PF block their traffic. After again 1 hour the rule remove IP from the PF table, so they can re-used the Wifi. As you can understand the goal is to provide a Wifi connection for 1 hour, after it's blocked for one hour at least, after it's available for an another 1 hour, etc...
This rule is just for demonstration purposes, it shows the flexibility those rules can offer.

Each rule can have several parameters coming either from the regex, either provided by the parameters.py file.

Feel free to share you rules, I'll include them in the next releases :-)

Installation

Just untar the last version you can download from sourcefroge log2table.tar.gz and run 'make' as root.

tar -xzvf log2table.tar.gz 
cd log2table
make

This will install log2table in /usr/local/bin
and configuration files in /etc/log2table.

Feel free to adapt Makefile if you want to use other directories.

If you are not on OpenBSD, please remove from Makefile the line

install log2table.rc /etc/rc.d/log2table

log2table.rc is a file required for the rcctl command.

More details

You can find more details here:
https://sourceforge.net/p/log2table/code/ci/master/tree/



0, 0
displayed: 371



How much does 3 plus 2 ?