Re: RFC: Fam/Python based script for bruteforce blocking
On 2009-12-19 (Sat) at 03:38:26 -0900, Mel Flynn wrote: Well, my first problem with it is obviously that I now need python, where I don't want python. In fact, my firewalls/gateways only have /bin/sh and /bin/csh as scripting languages. It's one reason I switched from custom sysutils/grok rules to using security/sshguard - it got me rid of perl. That makes sense -- I'm using it on a general purpose server as opposed to a dedicated firewall box. Secondly, you have matching rules coded in the script. If there would be one reason to prefer this script over sshguard, it would be that I can add attack patterns more easily, in config file with a syntax that's not too obscure. Interesting thought, I will definitely make the matching rules configurable and potentially make possible to monitor multiple logfiles for attack patterns (potentially configurable per-logfile). Last but not least, you assume that once an IP is at fault, I want that IP blocked permanently. In practice you end up with an extremely large table that might eventually be too big for a default PF table and recurring scans from the same IP are not that common (you see the IP in a 12-24 hour window, then not again). You've misread the script. IPs are expired after a configurable number of seconds. Hope this helps. Thanks kindly for the feedback! --Brandon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RFC: Fam/Python based script for bruteforce blocking
On Thursday 17 December 2009 16:34:22 Brandon Low wrote: I'd love to hear other people's feedback on this approach of using FAM + auth.log to implement this and/or to hear of other superior approaches to achieving this result. Well, my first problem with it is obviously that I now need python, where I don't want python. In fact, my firewalls/gateways only have /bin/sh and /bin/csh as scripting languages. It's one reason I switched from custom sysutils/grok rules to using security/sshguard - it got me rid of perl. Secondly, you have matching rules coded in the script. If there would be one reason to prefer this script over sshguard, it would be that I can add attack patterns more easily, in config file with a syntax that's not too obscure. Last but not least, you assume that once an IP is at fault, I want that IP blocked permanently. In practice you end up with an extremely large table that might eventually be too big for a default PF table and recurring scans from the same IP are not that common (you see the IP in a 12-24 hour window, then not again). Hope this helps. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RFC: Fam/Python based script for bruteforce blocking
Robert Huff wrote: Brandon Low writes: Not sure why this didn't attach the first time. The FreeBSD mailing list software is set to scrub all attachments as a security measure. To makew material available, post it in-line, or post a URL. The attachment eater doesn't actually eat *all* attachments. Just the ones with MIME types it thinks are tasty. You can generally get stuff through if it's marked as something innocuous like text/plain Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: RFC: Fam/Python based script for bruteforce blocking
Matthew Seaman writes: The FreeBSD mailing list software is set to scrub all attachments as a security measure. To makew material available, post it in-line, or post a URL. The attachment eater doesn't actually eat *all* attachments. Just the ones with MIME types it thinks are tasty. You can generally get stuff through if it's marked as something innocuous like text/plain Point taken. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RFC: Fam/Python based script for bruteforce blocking
Not sure why this didn't attach the first time. #!/usr/bin/env python import errno import logging import optparse import os import re import select import signal import subprocess import sys import time import datetime import _fam def getUpdateBlocks(pfctl, expire_seconds, blacklist_filename, table, limit_n): expire=str(expire_seconds) blacklist=blacklist_filename limit=limit_n baseArgs=(pfctl, '-t', table, '-T') def callAndLog(*args, **kwargs): c=subprocess.Popen(baseArgs + args, stderr=subprocess.PIPE, stdout=kwargs.get('stdout',subprocess.PIPE)) stdout,stderr=c.communicate() if stdout: logging.info(stdout) for line in (stderr if stderr else '').split('\n'): if not line: continue getattr(logging,'info' if line.find('ALTQ') 0 else 'debug')(line) reParts=('(.*) erudite sshd\[[0-9]+\]: ', '(?:', '|'.join(('Invalid user .* from', 'Did not receive identification string from', 'error: PAM: authentication error for root from')), ') ', '(', '(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}', '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', ')\n?') r=re.compile(''.join(reParts)) df='%b %d %H:%M:%S' oneDay=datetime.timedelta(days=1) def processFile(now, ips, filename): with open(filename, 'r') as f: for line in f: m=r.match(line) if not m: continue d=datetime.datetime.strptime(m.group(1),df).replace(now.year) if d now: d=d.replace(now.year-1) if now-d oneDay: ips[m.group(2)]=ips.get(m.group(2),0) + 1 def updateBlocks(filename): logging.info(Updating blacklist...) ips={} now=datetime.datetime.now() processFile(now, ips, filename) logging.debug(Found %s IPs, len(ips)) logging.debug(Adding ips to pf table) callAndLog('add', *tuple(k for k,v in ips.iteritems() if v = limit)) logging.debug(Expiring ips from pf table) callAndLog('expire', expire) logging.debug(Saving table state to file) with open(blacklist,'w') as blacklistFile: callAndLog('show', stdout=blacklistFile) logging.debug(Done) return updateBlocks def main(): parser=optparse.OptionParser() parser.add_option(-d, --debug, action=store_true, help=Enable debug logging) parser.add_option(-a, --auth_log, default=/var/log/auth.log, help=Authentication log filename) parser.add_option(-b, --blacklist, default=/var/db/blacklist, help=Blacklist filename) parser.add_option(-l, --log_file, default=/var/log/bruteforce.log, help=Log filename) parser.add_option(-p, --pfctl, default=/sbin/pfctl, help=pfctl binary) parser.add_option(-e, --expire, type=int, default=604800, help=Seconds to hold a grudge) parser.add_option(-t, --table, default=bruteforce, help=Name of pf table to work on) parser.add_option(-i, --limit, type=int, default=2, help=Number of invalid logins to get blacklisted) (opts, args)=parser.parse_args() if args: optparse.error(No non-option arguments expected) logging.basicConfig(filename=opts.log_file, level=logging.DEBUG if opts.debug else logging.INFO) fc=_fam.open() p=select.poll() p.register(fc, select.POLLIN|select.POLLPRI) fr=fc.monitorFile(opts.auth_log, None) updateBlocks=getUpdateBlocks( opts.pfctl, opts.expire, opts.blacklist, opts.table, opts.limit) while True: p.poll(60) update=False while fc.pending(): fe=fc.nextEvent() if fe.code in (_fam.Exists,_fam.Changed,_fam.Created): update=True if not fe.filename==opts.auth_log: raise FAM event: wrong file if update: updateBlocks(fe.filename) if __name__ == __main__: main() ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RFC: Fam/Python based script for bruteforce blocking
Brandon Low writes: Not sure why this didn't attach the first time. The FreeBSD mailing list software is set to scrub all attachments as a security measure. To makew material available, post it in-line, or post a URL. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org