From owner-freebsd-bugs Tue Feb 18 14:20:10 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6D8637B401 for ; Tue, 18 Feb 2003 14:20:05 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 978A643F75 for ; Tue, 18 Feb 2003 14:20:04 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h1IMK4NS099304 for ; Tue, 18 Feb 2003 14:20:04 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h1IMK4kM099303; Tue, 18 Feb 2003 14:20:04 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E1A037B401 for ; Tue, 18 Feb 2003 14:14:01 -0800 (PST) Received: from agora.rdrop.com (agora.rdrop.com [199.26.172.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84FEF43F93 for ; Tue, 18 Feb 2003 14:14:00 -0800 (PST) (envelope-from alan@agora.rdrop.com) Received: from agora.rdrop.com (202@localhost [127.0.0.1]) by agora.rdrop.com (8.12.7/8.12.5) with ESMTP id h1IMDwpj071725 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Tue, 18 Feb 2003 14:13:58 -0800 (PST) (envelope-from alan@agora.rdrop.com) Received: (from alan@localhost) by agora.rdrop.com (8.12.7/8.12.6/Submit) id h1IMDvVu071723; Tue, 18 Feb 2003 14:13:57 -0800 (PST) Message-Id: <200302182213.h1IMDvVu071723@agora.rdrop.com> Date: Tue, 18 Feb 2003 14:13:57 -0800 (PST) From: Alan Batie Reply-To: Alan Batie To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: misc/48444: change to count connection attempts instead of listing them Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 48444 >Category: misc >Synopsis: change to count connection attempts instead of listing them >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Feb 18 14:20:04 PST 2003 >Closed-Date: >Last-Modified: >Originator: Alan Batie >Release: FreeBSD 4.7-STABLE i386 >Organization: RainDrop Laboratories >Environment: System: FreeBSD agora.rdrop.com 4.7-STABLE FreeBSD 4.7-STABLE #0: Mon Feb 3 00:57:16 PST 2003 root@agora.rdrop.com:/usr/src/freebsd/src/sys/compile/AGORA i386 >Description: These days you get so many "door knockings" that listing them amounts to information overload. What you really want to see is who's doing how much door knocking so you can see where problems really lie. This patch implements that optionally if the variable "daily_status_security_port_counts" enables it. Currently, you can completely ignore certain host/port combinations by setting them in the code; probably this should be done with some more variables, but that's a low priority TBD. >How-To-Repeat: Read your daily security email on a publicly connected system set to log connection attempts to ports with no listeners. >Fix: Index: security.functions =================================================================== RCS file: /home/ncvs/src/etc/periodic/security/security.functions,v retrieving revision 1.1.2.2 diff -c -r1.1.2.2 security.functions *** security.functions 19 Nov 2002 19:00:39 -0000 1.1.2.2 --- security.functions 18 Feb 2003 22:03:58 -0000 *************** *** 53,59 **** if [ "${tmpf}" = "-" ]; then tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` ! cat > ${tmpf} fi if [ ! -f ${LOG}/${label}.today ]; then --- 53,80 ---- if [ "${tmpf}" = "-" ]; then tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` ! tmpf2=`mktemp ${TMPDIR:-/tmp}/security2.XXXXXXXXXX` ! tmpcons=`mktemp ${TMPDIR:-/tmp}/conns.XXXXXXXXXX` ! ! case "$daily_status_security_port_counts" in ! [Yy][Ee][Ss]) ! cat > ${tmpf2} ! grep "Connection attempt" ${tmpf2} > ${tmpcons} ! if [ -s ${tmpcons} ] ! then ! grep -v "Connection attempt" ${tmpf2} > ${tmpf} ! echo "" ! echo "Connection attempts:" ! echo "" ! /etc/periodic/security/port_count ${tmpcons} ! fi ! rm -f ${tmpf2} ${tmpcons} ! ;; ! ! *) ! cat > ${tmpf} ! ;; ! esac fi if [ ! -f ${LOG}/${label}.today ]; then /etc/periodic/security/port_count: #!/usr/local/bin/perl eval 'exec /usr/local/bin/perl -S $0 ${1+"$@"}' if $running_under_some_shell; # # Count connection attempt log entries by protocol and port # # Feb 11 03:02:21 agora /kernel: Connection attempt to TCP 199.26.172.34:119 # from 129.250.35.205:52776 # # # Ignore proto:ip:port (proto = TCP|UDP) # #$ignore_dest{"UDP:127.0.0.1:512"} = 1; $ignore_src{"UDP:199.26.172.34:53"} = 1; # # Don't bother printing out a count unless it's over this: # $threshold = 1; if ($#ARGV != 0) { print "Usage: $0 logfile\n"; print join(":", @ARGV), "\n"; exit 1; } if ($ARGV[0] eq "-") { open(LOG, "<&STDIN") || die "Can't copy stdin: $!\n"; } else { open(LOG, "<$ARGV[0]") || die "Can't open '$ARGV[0]': $!\n"; } LOGLOOP: while () { chomp; $line = $_; ($d1,$d2,$d3,$proto,$dest,$d4,$src) = split(' '); # skip corrupt lines next if ($d1 ne "Connection" || $d2 ne "attempt" || $d3 ne "to" || $d4 ne "from" || ($proto ne "TCP" && $proto ne "UDP")); ($di1,$di2,$di3,$di4) = split(/\./, $dest); ($di4,$dp) = split(/:/, $di4); ($si1,$si2,$si3,$si4) = split(/\./, $dest); ($si4,$sp) = split(/:/, $si4); foreach $i ($di1,$di2,$di3,$di4,$si1,$si2,$si3,$si4) { next LOGLOOP if ($i eq "" || $i < 0 || $i > 255); } next if ($dp < 0 || $dp > 65535); next if ($sp < 0 || $sp > 65535); # skip specified entries next if defined $ignore_dest{"$proto:$dest"}; next if defined $ignore_src{"$proto:$src"}; $tally{"$proto:$dest"}++; } close(LOG); foreach $i (sort { $tally{$a} <=> $tally{$b} } keys(%tally)) { if ($tally{$i} > $threshold) { print "$i - $tally{$i}\n"; } } exit 0; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message