- #!/usr/local/bin/python
- #
- # abck - Part of the ABMGMT package from TundraWare Inc.
- # Copyright (c) 2001, TundraWare Inc., All Rights Reserved.
- # See the accompanying file called, 1-ABMGMT-License.txt
- # for Licensing Terms
- #
- # Build a report of all unauthorized access attempts
- #
- # Usage: abck [String To Match In Log Record]
-
- ##########
-
- ####################
- # Imports
- ####################
-
- import commands
- import re
- import sys
-
- ####################
- # Booleans
- ####################
-
- FALSE = 0 == 1
- TRUE = not FALSE
-
- DONE = FALSE
-
- ####################
- # Constants And Literals
- ####################
-
- ANS = ";; ANSWER SECTION:"
- AUTH = ";; AUTHORITY SECTION:"
- DIG = "/usr/bin/dig -t ptr -x "
- LOG = "/var/log/messages"
- OUT = "./ABUSERS"
-
- VERSION = "$Id: abck,v 1.6 2001/07/16 22:50:39 tundra Exp $"
-
- ####################
- # Data Structures
- ####################
-
- # Dictionary of keywords indicating attack, and position of host address/name
- # in their log records
-
- AttackKeys = {
- "refused" : 8,
- "unauthorized" : 7
- }
-
- # Cache dictionary of all attacking hosts discovered this run of the program
-
- NameCache = {}
-
- ####################
- # Regular Expression Handlers
- ####################
-
- # Regular Expression which describes a legit IP quad address
-
- IPQuad = r"(\d{1,3}\.){3}\d{1,3}$"
-
- ####################
- # Function Definitions
- ####################
-
- # Return the ending substring of a host name with 'depth' number of dots
- # in it
-
- def HostDepth(host, depth=2):
-
- # Break the address down into components
- components = host.split(".")
-
- # And return the recombined pieces we want
- return '.'.join(components[-depth:])
-
- ####################
-
- # Check a name, see if it's an IP quad, and if so, return reverse.
- # If not, return the original name.
- #
- # This is better than a socket.gethostbyaddr() call because
- # this will return the authority information for an address
- # if no explicit reverse resolution is found.
-
- def CheckIPReverse(hostquad):
-
- # If it's an IP address in quad form, reverse resolve it
- if re.match(IPQuad, hostquad):
-
- DIGResults = commands.getoutput(DIG + hostquad).splitlines()
-
- ansname = ""
- authname = hostquad
- # Results must either have an Answer or Authority record
- if ( DIGResults.count(ANS) + DIGResults.count(AUTH)):
-
- i = 0
- while i < len(DIGResults):
-
- if DIGResults[i].startswith(ANS):
- ansname = DIGResults[i+1].split()[4]
-
- if DIGResults[i].startswith(AUTH):
- authname = DIGResults[i+1].split()[-2]
-
- i += 1
-
- if ansname:
- hostname = ansname
- else:
- hostname = authname
-
- # Get rid of trailing dot, if any
- if hostname[-1] == '.':
- hostname = hostname[:-1]
-
- else:
- hostname = hostquad
-
- return hostname
-
-
- ####################
-
- # Paw through a log record, doing any reverse resolution needed,
- # confirm with user, and return name of the host to notify about
- # the instrusion attempt. A null return means the user want to
- # skip this record.
-
-
- def ProcessLogRecord(logrecord):
-
- # Check for each known attack keyword
-
- sendto = ""
- for attackkey in AttackKeys.keys():
-
- logfield = logrecord.split()
- if logrecord.count(attackkey):
-
- # Different attack records put the hostquad in different places
- hostquad = logfield[AttackKeys[attackkey]]
- if hostquad[-1] == ',':
- hostquad = hostquad[:-1] # Strip trailing dots
-
- # Go do a reverse resolution if we need to
- hostname = CheckIPReverse(hostquad)
-
- # Check for the case of getting a PTR record back
- hostname = ReversePTR(hostname)
-
- # Check if we've seen this abuser before
- if NameCache.has_key(hostname):
- sendto = NameCache[hostname]
-
- # New one
- else:
- depth = 2
- DONE=FALSE
- while not DONE:
-
- # Set depth of default response
- default = HostDepth(hostname, depth)
-
- # Ask the user about it
- st = raw_input("\nLog Record: %s\n Who Gets Message for: <%s>? %s [%s] " %
- (logrecord,
- hostname[-40:],
- " " * (40 - len(hostname)),
- default))
-
- # Parse the response
- if st == "!": # Skip this record
- sendto = ""
- DONE = TRUE
-
- elif st.lower() == "r": # Less depth in recipient name
- if depth > 2:
- depth -= 1
-
- elif st.lower() == "l": # More depth in recipient name
- if depth < len(hostname.split('.')):
- depth += 1
-
- else:
- if st: # User keyed in their own recipient
- sendto = st
- else: # User accepted the default
- sendto = default
- DONE = TRUE
-
- NameCache[hostname] = sendto # Cache it
-
- return sendto
-
- ####################
-
- # Check the passed hostname and see if it looks like a PTR record.
- # If so, strip out the address portion, reverse it, and trying
- # doing another reverse lookup. If not, just return the original hostname.
-
- def ReversePTR(hostname):
-
- tmp = hostname.split("in-addr.arpa")
-
- if len(tmp) > 1: # Looks like a PTR record
-
- tmp = tmp[0].split('.') # Get addr components
- tmp.reverse() # and reverse their order
- # Take the 1st four quads (some PTR records have more)
- # and see if we can dig out a reverse.
- hostname = CheckIPReverse('.'.join(tmp[1:5]))
-
- return hostname
-
-
- #------------------------- Program Entry And Mail Loop -----------------------#
-
- logfile = open(LOG)
- abuserfile = open(OUT, "w")
-
- # Read in the whole log logfileile
- for logrecord in logfile.read().splitlines():
-
- # Go check the record in no command line constraint given
- # or a constraint is given and exits in the record
- if (len(sys.argv) == 1) or logrecord.count(sys.argv[1]):
-
- sendto = ProcessLogRecord(logrecord)
- if sendto:
- abuserfile.write("abnot \"" + logrecord + "\" " +
- sendto + "\n")
-
- logfile.close()
- abuserfile.close()
tundra