Date: Tue, 18 Feb 2003 14:13:57 -0800 (PST) From: Alan Batie <alan@agora.rdrop.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: misc/48444: change to count connection attempts instead of listing them Message-ID: <200302182213.h1IMDvVu071723@agora.rdrop.com>
next in thread | raw e-mail | index | archive | help
>Number: 48444 >Category: misc >Synopsis: change to count connection attempts instead of listing them >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Feb 18 14:20:04 PST 2003 >Closed-Date: >Last-Modified: >Originator: Alan Batie >Release: FreeBSD 4.7-STABLE i386 >Organization: RainDrop Laboratories >Environment: System: FreeBSD agora.rdrop.com 4.7-STABLE FreeBSD 4.7-STABLE #0: Mon Feb 3 00:57:16 PST 2003 root@agora.rdrop.com:/usr/src/freebsd/src/sys/compile/AGORA i386 >Description: These days you get so many "door knockings" that listing them amounts to information overload. What you really want to see is who's doing how much door knocking so you can see where problems really lie. This patch implements that optionally if the variable "daily_status_security_port_counts" enables it. Currently, you can completely ignore certain host/port combinations by setting them in the code; probably this should be done with some more variables, but that's a low priority TBD. >How-To-Repeat: Read your daily security email on a publicly connected system set to log connection attempts to ports with no listeners. >Fix: Index: security.functions =================================================================== RCS file: /home/ncvs/src/etc/periodic/security/security.functions,v retrieving revision 1.1.2.2 diff -c -r1.1.2.2 security.functions *** security.functions 19 Nov 2002 19:00:39 -0000 1.1.2.2 --- security.functions 18 Feb 2003 22:03:58 -0000 *************** *** 53,59 **** if [ "${tmpf}" = "-" ]; then tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` ! cat > ${tmpf} fi if [ ! -f ${LOG}/${label}.today ]; then --- 53,80 ---- if [ "${tmpf}" = "-" ]; then tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` ! tmpf2=`mktemp ${TMPDIR:-/tmp}/security2.XXXXXXXXXX` ! tmpcons=`mktemp ${TMPDIR:-/tmp}/conns.XXXXXXXXXX` ! ! case "$daily_status_security_port_counts" in ! [Yy][Ee][Ss]) ! cat > ${tmpf2} ! grep "Connection attempt" ${tmpf2} > ${tmpcons} ! if [ -s ${tmpcons} ] ! then ! grep -v "Connection attempt" ${tmpf2} > ${tmpf} ! echo "" ! echo "Connection attempts:" ! echo "" ! /etc/periodic/security/port_count ${tmpcons} ! fi ! rm -f ${tmpf2} ${tmpcons} ! ;; ! ! *) ! cat > ${tmpf} ! ;; ! esac fi if [ ! -f ${LOG}/${label}.today ]; then /etc/periodic/security/port_count: #!/usr/local/bin/perl eval 'exec /usr/local/bin/perl -S $0 ${1+"$@"}' if $running_under_some_shell; # # Count connection attempt log entries by protocol and port # # Feb 11 03:02:21 agora /kernel: Connection attempt to TCP 199.26.172.34:119 # from 129.250.35.205:52776 # # # Ignore proto:ip:port (proto = TCP|UDP) # #$ignore_dest{"UDP:127.0.0.1:512"} = 1; $ignore_src{"UDP:199.26.172.34:53"} = 1; # # Don't bother printing out a count unless it's over this: # $threshold = 1; if ($#ARGV != 0) { print "Usage: $0 logfile\n"; print join(":", @ARGV), "\n"; exit 1; } if ($ARGV[0] eq "-") { open(LOG, "<&STDIN") || die "Can't copy stdin: $!\n"; } else { open(LOG, "<$ARGV[0]") || die "Can't open '$ARGV[0]': $!\n"; } LOGLOOP: while (<LOG>) { chomp; $line = $_; ($d1,$d2,$d3,$proto,$dest,$d4,$src) = split(' '); # skip corrupt lines next if ($d1 ne "Connection" || $d2 ne "attempt" || $d3 ne "to" || $d4 ne "from" || ($proto ne "TCP" && $proto ne "UDP")); ($di1,$di2,$di3,$di4) = split(/\./, $dest); ($di4,$dp) = split(/:/, $di4); ($si1,$si2,$si3,$si4) = split(/\./, $dest); ($si4,$sp) = split(/:/, $si4); foreach $i ($di1,$di2,$di3,$di4,$si1,$si2,$si3,$si4) { next LOGLOOP if ($i eq "" || $i < 0 || $i > 255); } next if ($dp < 0 || $dp > 65535); next if ($sp < 0 || $sp > 65535); # skip specified entries next if defined $ignore_dest{"$proto:$dest"}; next if defined $ignore_src{"$proto:$src"}; $tally{"$proto:$dest"}++; } close(LOG); foreach $i (sort { $tally{$a} <=> $tally{$b} } keys(%tally)) { if ($tally{$i} > $threshold) { print "$i - $tally{$i}\n"; } } exit 0; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302182213.h1IMDvVu071723>