Date: Sat, 2 Nov 2002 13:46:09 -0500 (EST) From: Dan Pelleg <daniel+hunch@pelleg.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/44836: New port: hunch - Scan httpd log files, find vulnerability probes, mail admins Message-ID: <20021102184609.BEDC52FB@lank.auton.cs.cmu.edu>
next in thread | raw e-mail | index | archive | help
>Number: 44836 >Category: ports >Synopsis: New port: hunch - Scan httpd log files, find vulnerability probes, mail admins >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Nov 02 10:50:03 PST 2002 >Closed-Date: >Last-Modified: >Originator: Dan Pelleg >Release: FreeBSD 4.6-STABLE i386 >Organization: >Environment: System: FreeBSD l 4.6-STABLE FreeBSD 4.6-STABLE #8: Wed Jul 3 21:28:13 EDT 2002 d@p i386 >Description: Scan Apache log files for CodeRed, Nimda, FormMail, proxy scanners and other malicious probes. For each one found, track down the contact email from WHOIS data and send a notice. Built-in rate controls prevent flooding an admin even when his machines are scanning at high rates. Runs as a non-privileged cron job to not interfere with the HTTP daemon's operation. Notes to committer: 1. This port installs a user and a group "hunch". It doesn't meet the conditions listed in the handbook for a "reserved" uid/gid. 2. portlint will complain about the port. A lot. To the best of my judgment all of the warnings can be ignored with the exception of the one about BATCH which I could find no documentation for. Therefore it is setting IS_INTERACTIVE. >How-To-Repeat: >Fix: # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # hunch # hunch/Makefile # hunch/pkg-comment # hunch/pkg-descr # hunch/pkg-plist # hunch/distinfo # hunch/pkg-message # hunch/pkg-install # hunch/pkg-deinstall # echo c - hunch mkdir -p hunch > /dev/null 2>&1 echo x - hunch/Makefile sed 's/^X//' >hunch/Makefile << 'END-of-hunch/Makefile' X# New ports collection makefile for: hunch X# Date created: 26 October 2002 X# Whom: Dan Pelleg <daniel+hunch@pelleg.org> X# X# $FreeBSD$ X# X XPORTNAME= hunch XPORTVERSION= 1.0 XCATEGORIES= security XMASTER_SITES= http://web.cs.cmu.edu/~dpelleg/download/ X XMAINTAINER= daniel+hunch@pelleg.org X XRUN_DEPENDS= ${LOCALBASE}/lib/perl5/site_perl/${PERL_VER}/Net/SMTP.pm:${PORTSDIR}/net/p5-Net X XIS_INTERACTIVE= yes XWRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} XNO_PACKAGE= too interactive XNO_BUILD= true XUSE_PERL5= YES X Xdo-install: X @${ECHO_MSG} "Installing files" X @${INSTALL_DATA} ${WRKSRC}/etc/hunch-special ${PREFIX}/etc X @${INSTALL_SCRIPT} ${WRKSRC}/bin/complain-httpd ${PREFIX}/bin X @${INSTALL_SCRIPT} ${WRKSRC}/bin/contact ${PREFIX}/bin X Xpost-install: X @PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL X X.include <bsd.port.mk> END-of-hunch/Makefile echo x - hunch/pkg-comment sed 's/^X//' >hunch/pkg-comment << 'END-of-hunch/pkg-comment' XScan httpd log files, find vulnerability probes, mail admins END-of-hunch/pkg-comment echo x - hunch/pkg-descr sed 's/^X//' >hunch/pkg-descr << 'END-of-hunch/pkg-descr' XScan Apache log files for CodeRed, Nimda, FormMail, proxy scanners and Xother malicious probes. For each one found, track down the contact email Xfrom WHOIS data and send a notice. Built-in rate controls prevent flooding Xan admin even when his machines are scanning at high rates. Runs as a Xnon-privileged cron job to not interfere with the HTTP daemon's operation. X X-- Dan Pelleg X Xdaniel+hunch@pelleg.org END-of-hunch/pkg-descr echo x - hunch/pkg-plist sed 's/^X//' >hunch/pkg-plist << 'END-of-hunch/pkg-plist' Xbin/complain-httpd Xbin/contact Xetc/hunch-special END-of-hunch/pkg-plist echo x - hunch/distinfo sed 's/^X//' >hunch/distinfo << 'END-of-hunch/distinfo' XMD5 (hunch-1.0.tar.gz) = a5abf88c516e341cda723aaddfdc6aa6 END-of-hunch/distinfo echo x - hunch/pkg-message sed 's/^X//' >hunch/pkg-message << 'END-of-hunch/pkg-message' XNote that some WHOIS servers have specific Xterms of use, which they assume you to have Xaccepted by issuing a query. Do not use Xthis package if you do not agree to those Xlicenses. END-of-hunch/pkg-message echo x - hunch/pkg-install sed 's/^X//' >hunch/pkg-install << 'END-of-hunch/pkg-install' X#! /bin/sh X X# X# Adapted from pkg-install in net/cvsup-mirror, X# presumably by jdp@FreeBSD.org X# X Xuser=hunch Xgroup=hunch X Xinterval=4 X Xask() { X local question default answer X X question=$1 X default=$2 X if [ -z "${PACKAGE_BUILDING}" ]; then X read -p "${question} [${default}]? " answer X fi X if [ x${answer} = x ]; then X answer=${default} X fi X echo ${answer} X} X Xyesno() { X local dflt question answer X X question=$1 X dflt=$2 X while :; do X answer=$(ask "${question}" "${dflt}") X case "${answer}" in X [Yy]*) return 0;; X [Nn]*) return 1;; X esac X echo "Please answer yes or no." X done X} X Xmake_account() { X local u g gcos homeopt home X X u=$1 X g=$2 X gcos=$3 X homeopt=${4:+"-d $4"} X X if pw group show "${g}" >/dev/null 2>&1; then X echo "You already have a group \"${g}\", so I will use it." X else X echo "You need a group \"${g}\"." X if which -s pw && yesno "Would you like me to create it" y; then X pw groupadd ${g} || exit X echo "Done." X else X echo "Please create it, and try again." X if ! grep -q "^${u}:" /etc/passwd; then X echo "While you're at it, please create a user \"${u}\" too," X echo "with a default group of \"${g}\"." X fi X exit 1 X fi X fi X X if pw user show "${u}" >/dev/null 2>&1; then X echo "You already have a user \"${u}\", so I will use it." X else X echo "You need a user \"${u}\"." X if which -s pw && yesno "Would you like me to create it" y; then X pw useradd ${u} -g ${g} -h - ${homeopt} \ X -s /nonexistent -c "${gcos}" || exit X echo "Done." X else X echo "Please create it, and try again." X exit 1 X fi X fi X X if [ x"$homeopt" = x ]; then X eval home=~${u} X if [ ! -d "${home}" ]; then X if yesno \ X "Would you like me to create ${u}'s home directory (${home})" y X then X (umask 77 && \ X mkdir -p ${home}/) || exit X chown -R ${u}:${g} ${home} || exit X else X echo "Please create it, and try again." X exit 1 X fi X fi X fi X} X Xcase $2 in X XPOST-INSTALL) X # . ${base}/config.sh || exit X X if which -s pw && which -s lockf; then X : X else X cat <<EOF X XThis system looks like a pre-2.2 version of FreeBSD. I see that it Xis missing the "lockf" and/or "pw" utilities. I need these utilities. XPlease get them and install them, and try again. You can get the Xsources from: X X ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.bin/lockf.tar.gz X ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz X XEOF X exit 1 X fi X X echo "" X make_account ${user} ${group} "Probe-griping user" "/nonexistent" X X echo "Fixing ownerships and modes" X chown ${user}:${group} ${PREFIX}/etc/hunch-special X misc_files="/var/db/hunch-timestamp /var/log/hunch.log" X touch $misc_files X chown ${user}:${group} $misc_files X chmod 664 ${PREFIX}/etc/hunch-special $misc_files X X echo "" X if grep -q "^[^#]*/var/log/hunch.log" /etc/newsyslog.conf; then X echo -n "It looks like you already have some logging set up, so I " X echo "will use it." X else X if yesno "Would you like me to set up log rotation" y; then X echo "Adding hunch log entry to \"/etc/newsyslog.conf\"." X cat <<EOF >>/etc/newsyslog.conf X/var/log/hunch.log hunch:hunch 644 3 100 * Z XEOF X echo "Done." X else X cat <<EOF XOK, please remember to do it yourself. You should add an entry to X"/etc/newsyslog.conf". XEOF X fi X fi X X echo "" X if grep -q "^[^#]*${PREFIX}/bin/complain-httpd" /etc/crontab; then X echo "It looks like your crontab is already set up, so I'll use that." X else X if [ ${interval} -eq 1 ]; then X updstr="hourly complaints" X else X updstr="complaints every ${interval} hours" X fi X if yesno "Would you like me to set up your crontab for ${updstr}" y X then X echo "Scheduling ${updstr} in \"/etc/crontab\"." X delay=5 X now=$(date "+%s") X start=$((${now} + ${delay}*60)) X hh=$(date -r ${start} "+%H") X mm=$(date -r ${start} "+%M") X h=$((${hh})) X m=$((${mm})) X if [ ${interval} -eq 1 ]; then X hstr="*" X else X h0=$((${h} % ${interval})) X if [ ${interval} -eq 24 ]; then X hstr=${h0} X else X h1=$((${h0} + 24 - ${interval})) X hstr=${h0}-${h1}/${interval} X fi X fi X cat <<EOF >>/etc/crontab X${m} ${hstr} * * * ${user} ${PREFIX}/bin/complain-httpd /var/log/httpd-access.log >> /var/log/hunch.log 2>&1 XEOF X cat <<EOF XDone. XEOF X else X cat <<EOF XOK, please remember to do it yourself. The crontab entry should run X"${PREFIX}/bin/complain-httpd /var/log/htppd-access.log" as user ${user} XEOF X fi X fi X X echo "" X if yesno "Would you like me to set up the sender's address as it appears on outgoing complaints" y; then X host=`hostname` X sender=$(ask "Enter sender's email address" "root@$host" ) X tmp="${PREFIX}/bin/#complain-httpd$$" X trap "rm -f ${tmp}" 0 1 2 3 15 X sed "s/sender = ''/sender = '$sender'/" ${PREFIX}/bin/complain-httpd >${tmp} || exit X chmod 755 ${tmp} X mv ${tmp} ${PREFIX}/bin/complain-httpd || exit X echo "Done." X else X cat <<EOF XOK, please remember to do it yourself. You should modify the "my \$sender=''" Xline in "${PREFIX}/bin/complain-httpd". XEOF X fi X X echo "" X echo "I can enable hunch right now, or leave it in parse-only mode" X echo "which will scan the logs and determine the contacts, but" X echo "will not actually send any mail." X if yesno "Would you like me enable hunch in mail-sending mode" y; then X nomail=0 X else X nomail=1 X fi X tmp="${PREFIX}/bin/#complain-httpd$$" X trap "rm -f ${tmp}" 0 1 2 3 15 X sed "s/no_mailing = .*;/no_mailing = $nomail;/" ${PREFIX}/bin/complain-httpd >${tmp} || exit X chmod 755 ${tmp} X mv ${tmp} ${PREFIX}/bin/complain-httpd || exit X echo "OK." X X echo "" X echo "You are now hunch-enabled" X ;; Xesac END-of-hunch/pkg-install echo x - hunch/pkg-deinstall sed 's/^X//' >hunch/pkg-deinstall << 'END-of-hunch/pkg-deinstall' X#! /bin/sh X X# X# Adapted from pkg-deinstall in net/cvsup-mirror, X# presumably by jdp@FreeBSD.org X# X Xuser=hunch Xgroup=hunch X Xask() { X local question default answer X X question=$1 X default=$2 X if [ -z "${PACKAGE_BUILDING}" ]; then X read -p "${question} [${default}]? " answer X fi X if [ x${answer} = x ]; then X answer=${default} X fi X echo ${answer} X} X Xyesno() { X local dflt question answer X X question=$1 X dflt=$2 X while :; do X answer=$(ask "${question}" "${dflt}") X case "${answer}" in X [Yy]*) return 0;; X [Nn]*) return 1;; X esac X echo "Please answer yes or no." X done X} X Xdelete_account() { X local u g home X X u=$1 X g=$2 X if yesno "Do you want me to remove group \"${g}\"" y; then X pw groupdel -n ${g} X echo "Done." X fi X if yesno "Do you want me to remove user \"${u}\"" y; then X eval home=~${u} X pw userdel -n ${u} X echo "Done." X if [ -d "${home}" ]; then X echo "Please remember to remove the home directory \"${home}\" as" X echo "well as the mirrored files." X fi X fi X} X Xif [ x$2 != xDEINSTALL ]; then X exit Xfi X Xexport PATH=/bin:/usr/bin:/usr/sbin X Xif ps -axc | grep -q complain-httpd; then X if yesno "There are some complain-httpd processes running. Shall I kill them" y X then X killall complain-httpd X sleep 2 X else X echo "OK ... I hope you know what you are doing." X fi Xfi X Xtmp="/etc/#hunch$$" Xtrap "rm -f ${tmp}" 0 1 2 3 15 X Xrm -f /var/db/hunch-timestamp X Xif yesno "Do you want me to remove scheduled complaints from \"/etc/crontab\"" y Xthen X sed "/complain-httpd/d" /etc/crontab >${tmp} || exit X chmod 644 ${tmp} X mv ${tmp} /etc/crontab || exit X echo "Done." Xfi X Xif yesno "Do you want me to remove the hunch log entry from \ X\"/etc/newsyslog.conf\"" y; then X sed "/hunch\.log/d" /etc/newsyslog.conf >${tmp} || exit X chmod 644 ${tmp} X mv ${tmp} /etc/newsyslog.conf || exit X echo "Done." Xfi X Xdelete_account ${user} ${group} END-of-hunch/pkg-deinstall exit >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021102184609.BEDC52FB>