.TH abck 1 TundraWare
.SH NAME
abck \- Process intrusion attempts found in the system log.
.SH SYNOPSIS
abck [-dems]
.SH DESCRIPTION
\'abck\' is part of the \'abmgmt\' toolkit.  It reads through
/var/log/messages looking for evidence of an intrusion attempt. Upon
finding such a record, \'abck\' qualifies it against information
supplied by the user on the command line to determine if the record is
to be processed.

\'abck\' determines whether the record contains the name or IP address
of the source of the attack.  If it finds an IP address, it will attempt
to reverse the address into a name.  If it cannot find a legitimate
reverse, it will try to find the authority responsible for that
addess.

Each matching record is presented to the user.  The user can do a
\'whois \' lookup on the record, pick or edit an domain name that will
be notified about the attack attempt, or skip the record entirely.

As \'abnot\' runs, each processed record that the user does not
skip is written to an output shell script called \'ABUSERS\'.  When
\'abck\' has finished, the user can then run this script (\'sh ABUSERS\')
to actually notify the responsible domains of the intrusion attempts.

\'ABUSERS\' calls another script, \'abnot\' to actually send the notification
email.

.SH OPTIONS
.TP
.B -d #
Only go back # days in the log.
.TP
.B -e string
Only process attack records which do not contain \'string\'.
.TP
.B -m string
Only process attack records if they contain \'string\'.
.TP
.B -s
Don't actually process the matching records, just display them.

.SH RECORD PROCESSING
Each time the record of an intrusion attempt is found which matches
the command line-selected constraints, it is presented to the user
for disposition.  A typical prompt looks like this:

.nf
Log Record:
 Matching log entry found in /var/log/messages

Who Gets Message For: <nag.fleabag.horseplay.edu>? [horseplay.edu]
.fi

Pressing \'Enter\' accepts the default notification destination
of \'horseplay.edu\', a corresponding command is written to \'ABUSERS\',
and \'abck\' moves on to the next log entry.

The user can also issue a number of commands at the prompt to do
further lookups on the attacker or modify the domain to be notified.

.TP
.B l
Move left one subdomain in the default destination.

.TP
.B r
Move right one subdomain in the default destination. \'abck\' will
prevent the user from doing this beyond the point there are less than
two domains showing.  (A user can enter a destination with only one
level of domain manually.  This is useful for testing because it
allows \'localhost\' to be entered as the point of notification.)

.TP
.B s
Skip this record entirely.

.TP
.B w
Run a \'whois\' lookup on the address/name found in the original log
entry.  This is helpful when reverse lookups fail and may provide
further information about the origin of the attack.

.TP
.B Any other string
Replace the current default destination with this string.


.SH OTHER
You must have a reasonably current copy of 'python' installed for \'abck\'
to operate. Also, the \'dig\' and \'whois\' programs must be on the system
in a directory somewhere in $PATH.

.SH BUGS AND MISFEATURES
None known as of this release.

.SH COPYRIGHT AND LICENSING
abck is Copyright(c) 2001, TundraWare Inc.
For terms of use, see the ABMGMT-License.txt file in the program distribution.
If you install abck on a FreeBSD system using the 'ports' mechanism, you will
also find this file in /usr/local/share/doc/abmgmt.
.SH AUTHOR
.nf
Tim Daneliuk
tundra@tundraware.com