Date: Tue, 18 Feb 2003 14:13:57 -0800 (PST) From: Alan Batie <alan@agora.rdrop.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: misc/48444: change to count connection attempts instead of listing them Message-ID: <200302182213.h1IMDvVu071723@agora.rdrop.com>
next in thread | raw e-mail | index | archive | help
>Number: 48444
>Category: misc
>Synopsis: change to count connection attempts instead of listing them
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Feb 18 14:20:04 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Alan Batie
>Release: FreeBSD 4.7-STABLE i386
>Organization:
RainDrop Laboratories
>Environment:
System: FreeBSD agora.rdrop.com 4.7-STABLE FreeBSD 4.7-STABLE #0: Mon Feb 3 00:57:16 PST 2003 root@agora.rdrop.com:/usr/src/freebsd/src/sys/compile/AGORA i386
>Description:
These days you get so many "door knockings" that listing them
amounts to information overload. What you really want to see is
who's doing how much door knocking so you can see where problems
really lie. This patch implements that optionally if the
variable "daily_status_security_port_counts" enables it. Currently,
you can completely ignore certain host/port combinations by setting
them in the code; probably this should be done with some more
variables, but that's a low priority TBD.
>How-To-Repeat:
Read your daily security email on a publicly connected system
set to log connection attempts to ports with no listeners.
>Fix:
Index: security.functions
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/security.functions,v
retrieving revision 1.1.2.2
diff -c -r1.1.2.2 security.functions
*** security.functions 19 Nov 2002 19:00:39 -0000 1.1.2.2
--- security.functions 18 Feb 2003 22:03:58 -0000
***************
*** 53,59 ****
if [ "${tmpf}" = "-" ]; then
tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
! cat > ${tmpf}
fi
if [ ! -f ${LOG}/${label}.today ]; then
--- 53,80 ----
if [ "${tmpf}" = "-" ]; then
tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
! tmpf2=`mktemp ${TMPDIR:-/tmp}/security2.XXXXXXXXXX`
! tmpcons=`mktemp ${TMPDIR:-/tmp}/conns.XXXXXXXXXX`
!
! case "$daily_status_security_port_counts" in
! [Yy][Ee][Ss])
! cat > ${tmpf2}
! grep "Connection attempt" ${tmpf2} > ${tmpcons}
! if [ -s ${tmpcons} ]
! then
! grep -v "Connection attempt" ${tmpf2} > ${tmpf}
! echo ""
! echo "Connection attempts:"
! echo ""
! /etc/periodic/security/port_count ${tmpcons}
! fi
! rm -f ${tmpf2} ${tmpcons}
! ;;
!
! *)
! cat > ${tmpf}
! ;;
! esac
fi
if [ ! -f ${LOG}/${label}.today ]; then
/etc/periodic/security/port_count:
#!/usr/local/bin/perl
eval 'exec /usr/local/bin/perl -S $0 ${1+"$@"}'
if $running_under_some_shell;
#
# Count connection attempt log entries by protocol and port
#
# Feb 11 03:02:21 agora /kernel: Connection attempt to TCP 199.26.172.34:119
# from 129.250.35.205:52776
#
#
# Ignore proto:ip:port (proto = TCP|UDP)
#
#$ignore_dest{"UDP:127.0.0.1:512"} = 1;
$ignore_src{"UDP:199.26.172.34:53"} = 1;
#
# Don't bother printing out a count unless it's over this:
#
$threshold = 1;
if ($#ARGV != 0) {
print "Usage: $0 logfile\n";
print join(":", @ARGV), "\n";
exit 1;
}
if ($ARGV[0] eq "-") {
open(LOG, "<&STDIN") || die "Can't copy stdin: $!\n";
} else {
open(LOG, "<$ARGV[0]") || die "Can't open '$ARGV[0]': $!\n";
}
LOGLOOP:
while (<LOG>) {
chomp;
$line = $_;
($d1,$d2,$d3,$proto,$dest,$d4,$src) = split(' ');
# skip corrupt lines
next if ($d1 ne "Connection" || $d2 ne "attempt" || $d3 ne "to" ||
$d4 ne "from" || ($proto ne "TCP" && $proto ne "UDP"));
($di1,$di2,$di3,$di4) = split(/\./, $dest);
($di4,$dp) = split(/:/, $di4);
($si1,$si2,$si3,$si4) = split(/\./, $dest);
($si4,$sp) = split(/:/, $si4);
foreach $i ($di1,$di2,$di3,$di4,$si1,$si2,$si3,$si4) {
next LOGLOOP if ($i eq "" || $i < 0 || $i > 255);
}
next if ($dp < 0 || $dp > 65535);
next if ($sp < 0 || $sp > 65535);
# skip specified entries
next if defined $ignore_dest{"$proto:$dest"};
next if defined $ignore_src{"$proto:$src"};
$tally{"$proto:$dest"}++;
}
close(LOG);
foreach $i (sort { $tally{$a} <=> $tally{$b} } keys(%tally)) {
if ($tally{$i} > $threshold) {
print "$i - $tally{$i}\n";
}
}
exit 0;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302182213.h1IMDvVu071723>