Newer
Older
abck / abck
@tundra tundra on 27 Jul 2001 12 KB Corrected f.close() indentation.
#!/usr/local/bin/python
#
# abck  - Examine and report on unauthorized intrusion attempts.
# Copyright (c) 2001, TundraWare Inc., All Rights Reserved.
# See the accompanying file called, abck-License.txt
# for Licensing Terms



##########

VERSION = "$Id: abck,v 1.99 2001/07/27 08:02:23 tundra Exp $"



####################
# Imports
####################

import commands
import exceptions
import getopt
import os
import re
import sys
import socket
import time

####################
# Booleans
####################

FALSE = 0 == 1
TRUE  = not FALSE

DONE  = FALSE

####################
# General Constants
####################

ANS  = ";; ANSWER SECTION:"
AUTH = ";; AUTHORITY SECTION:"
DLEN = 24*60*60
DIG  = "dig -t ptr -x "
HIST = ".abck_history"
HISTFILE = os.path.join(os.getenv("HOME"), HIST)
LOG = "/var/log/messages"
MOS = ["", "Jan", "Feb", "Mar", "Apr", "May", "Jun",
       "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"]
WHO = "whois "

####################
# Constants Used In Outgoing eMail
####################

HOSTNAME = socket.gethostname()
HOSTADDR = socket.gethostbyname(HOSTNAME)
HOSTTZ   = time.tzname
NOTIFYWHO = ("abuse", "root")
ORG = os.getenv("ORGANIZATION")
SUBJ = "\"Attempted Intrusion Attempt\""

MAILCMD = "mail -s %s" % (SUBJ)

MAILMSG = "An *unauthorized* attempt to access one of our computers\n" + \
          "has been detected originating from your address space/domain.\n\n" + \
          "Our machine, %s, has IP address,\n%s, and is located in the " + \
          "%s Time Zone.\n\n" + \
          "Our log entry documenting the attempted intrusion\n" + \
          "from your address space/domain, follows:\n\n%s\n\n" + \
          "Please take the necessary steps to remedy this situation.\n" + \
          "Thank-You\n" + ORG + "\n"


####################
# Prompt And Message Strings
####################


PROMPT = "\nLog Record:\n%s\n\nWho Gets Message For: <%s>? %s[%s] "

USAGE = "abck " + VERSION.split()[2] + " " + \
        "Copyright (c) 2001, TundraWare Inc.  All Rights Reserved.\n" + \
        " usage:\n" + \
        "   abck [-d # days to look back]\n" + \
        "        [-e except string]\n" + \
        "        [-m match string]\n" + \
        "        [-s Show, but do not process matching records]\n"


####################
# Data Structures
####################

# Dictionary of keywords indicating attack, and position of host address/name
# in their log records

AttackKeys = {
              "refused" : 8,
              "unauthorized" : 7
             }

# Cache dictionary of all attacking hosts discovered this run of the program

NameCache = {}


####################
# Globals
####################

Processed = []

####################
# Regular Expression Handlers
####################

# Regular Expression which describes a legit IP quad address

IPQuad   = r"(\d{1,3}\.){3}\d{1,3}$"

####################
# Classes
####################

# Signify that the record under consideration is to be
# permanently forgotten

class ForgetRecord(exceptions.Exception):
    def __init__(self, args=None):
        self.args = args


# Signify that the user want to quit the program

class QuitAbck(exceptions.Exception):
    def __init__(self, args=None):
        self.args = args



####################
# Function Definitions
####################

# Return the ending substring of a host name with 'depth' number of dots
# in it

def HostDepth(host, depth=2):

    # Break the address down into components
    components = host.split(".")

    # And return the recombined pieces we want
    return '.'.join(components[-depth:])


####################

# Check a name, see if it's an IP quad, and if so, return reverse.
# If not, return the original name.
#
# This is better than a socket.gethostbyaddr() call because
# this will return the authority information for an address
# if no explicit reverse resolution is found.

def CheckIPReverse(hostquad):
    
    # If it's an IP address in quad form, reverse resolve it
    if re.match(IPQuad, hostquad):

        DIGResults = commands.getoutput(DIG + hostquad).splitlines()

        ansname = ""
        authname = hostquad
        # Results must either have an Answer or Authority record
        if ( DIGResults.count(ANS) + DIGResults.count(AUTH)):

            i = 0
            while i < len(DIGResults):

                if DIGResults[i].startswith(ANS):
                    ansname = DIGResults[i+1].split()[4]

                if DIGResults[i].startswith(AUTH):
                    authname = DIGResults[i+1].split()[-2]

                i += 1

        if ansname:
            hostname = ansname
        else:
            hostname = authname

        # Get rid of trailing dot, if any
        if hostname[-1] == '.':
            hostname = hostname[:-1]

    else:
        hostname = hostquad
        
    return hostname


####################

# Notify the responsible authority about the attempted intrusion

def Notify(logrecord, domain):
    dest=[]
    logrecord = "\"" + logrecord + "\""
    msg = (MAILMSG % (HOSTNAME, HOSTADDR, "/".join(HOSTTZ), logrecord))
    for x in NOTIFYWHO:
        dest.append(x + "@" + domain)
    dest.append("root@" + HOSTNAME)
    os.popen(MAILCMD + " " + " ".join(dest), "w").write(msg)
    

####################

# Paw through a log record, doing any reverse resolution needed,
# confirm with user, and return name of the host to notify about
# the instrusion attempt.  A null return means the user want to
# skip this record.


def ProcessLogRecord(logrecord, NOMATCH, SHOWONLY):

    # Check for each known attack keyword

    sendto = ""
    for attackkey in AttackKeys.keys():

        logfield = logrecord.split()
        if logrecord.count(attackkey):

            # Even if it is a legitimate attack record,
            # we do not process it if it contains text
            # the user does not want matched.

            if NOMATCH and logrecord.count(NOMATCH):
                break

            if SHOWONLY:
                print logrecord
                break
        
            # Different attack records put the hostquad in different places
            hostquad =  logfield[AttackKeys[attackkey]]
            if hostquad[-1] == ',':
                hostquad = hostquad[:-1]         # Strip trailing dots

            # Go do a reverse resolution if we need to
            hostname = CheckIPReverse(hostquad)

            # Check for the case of getting a PTR record back
            hostname = ReversePTR(hostname)

            # Check if we've seen this abuser before
            if NameCache.has_key(hostname):
                sendto = NameCache[hostname]

            # New one
            else:
                originalname = hostname
                depth = 2
                DONE=FALSE
                while not DONE:

                    # Set depth of default response
                    default = HostDepth(hostname, depth)

                    # Ask the user about it
                    st = raw_input(PROMPT % (logrecord, originalname[-40:],
                                             " " * (40 - len(originalname)),
                                   default))

                    # Parse the response

                    if st.lower() == "f":      # Forget this record forever
                        raise ForgetRecord     # Raise error as the way back

                    elif st.lower() == "l":    # More depth in recipient name
                        if depth < len(hostname.split('.')):
                             depth += 1

                    elif st.lower() == "q":    # Quit the program
                        raise QuitAbck

                    elif st.lower() == "r":    # Less depth in recipient name
                        if depth > 2:
                            depth -= 1

                    elif st.lower() == "s":    # Skip this record
                        sendto = ""
                        DONE = TRUE

                    elif st.lower() == "w":    # Run a 'whois' on 'em
                        print commands.getoutput(WHO + hostquad)


                    else:
                        if st:                 # User keyed in their own recipient
                            hostname = st
                        else:                  # User accepted the default
                            sendto = default
                            DONE = TRUE
                        
                NameCache[originalname] = sendto  # Cache it
            
    return sendto

####################

# Check the passed hostname and see if it looks like a PTR record.
# If so, strip out the address portion, reverse it, and trying
# doing another reverse lookup.  If not, just return the original hostname.

def ReversePTR(hostname):

    tmp = hostname.split("in-addr.arpa")

    if len(tmp) > 1:                       # Looks like a PTR record

        tmp = tmp[0].split('.')            # Get addr components
        tmp.reverse()                      # and reverse their order
        # Take the 1st four quads (some PTR records have more)
        # and see if we can dig out a reverse.
        hostname = CheckIPReverse('.'.join(tmp[1:5]))

    return hostname


#------------------------- Program Entry And Mail Loop -----------------------#



# Program entry and command line processing

try:
    opts, args = getopt.getopt(sys.argv[1:], '-d:e:m:s')
except getopt.GetoptError:
    print USAGE
    sys.exit(2)
    
OLDEST   = 0
MATCH    = ""
NOMATCH  = ""
SHOWONLY = FALSE

for opt, val in opts:
    if opt == "-d":
        OLDEST = time.time() - (int(val) * DLEN)
    if opt == "-e":
        NOMATCH = val
    if opt == "-m":
        MATCH = val
    if opt == "-s":
        SHOWONLY = TRUE


# Read the log into a list

f = open(LOG, "r")
logfile = [x for x in f.read().splitlines()]
f.close()

# Remove any previously handled log events from further consideration
# unless all we're doing is showing records.  In that case, show
# all records that match, even if we've already processed them.

if not SHOWONLY:
    if os.path.exists(HISTFILE):
        f = open(HISTFILE, "r")
        for histrec in f.read().splitlines():
            if logfile.count(histrec):
                logfile.remove(histrec)
        f.close()


# Examine, and possibly process, each record in the log
for logrecord in logfile:

    # Check to see whether this record should even be
    # processed.

    DOIT = TRUE
    # Did user limit how far back to look?
    if OLDEST:
        # Parse the record's time into into a list
        logfields = logrecord.split()
        logtime = logfields[2].split(":")
        EventTime = [None, logfields[0], logfields[1],
                     logtime[0], logtime[1], logtime[2]]

        # Figure out what year - not in the log explicitly
        # We do this by comparing the Month in the log entry
        # against today's month.  We get away with this so long
        # as the log never is allowed to get so big that it has
        # entries over a year old in it. (Which should be the case
        # for any reasonably administered system.
        
        lt = time.localtime()
        logyear = int(lt[0])
        if MOS.index(EventTime[1]) > int(lt[1]): # Log shows a later month
            logyear -= 1                         # 'Must be last year
        EventTime[0] = str(logyear)
        
        # Don't process if older than the oldest allowed
        if time.mktime(time.strptime("%s %s %s %s %s %s" % tuple(EventTime),
                                "%Y %b %d %H %M %S")) < OLDEST:
            DOIT = FALSE

    # Did user specify a selection matching string?
    if not logrecord.count(MATCH):
        DOIT = FALSE

    # If we passed all those tests, it's time to process this record.
    if DOIT:
        try:
            sendto = ProcessLogRecord(logrecord, NOMATCH, SHOWONLY)
        except (ForgetRecord):
            Processed.append(logrecord)
        except (QuitAbck):
            sys.exit()
        else:
            # If we get a non-null string back, we need to let someone know
            # about the attempted intrusion
            if sendto:
                Notify(logrecord, sendto)
                Processed.append(logrecord)

if os.path.exists(HISTFILE):
    f = open(HISTFILE, "a")
else:
    f = open(HISTFILE, "w")

for x in Processed:
    f.write(x + "\n")
f.close()