Fork: 0
tundra / abck
Transfer to URL with SHA Find file
Newer
Older
abck / abck
@tundra tundra on 27 Jul 2001 12 KB Added the Forget and Quit user interaction options.
Raw Blame History 
  1. #!/usr/local/bin/python
  2. #
  3. # abck  - Examine and report on unauthorized intrusion attempts.
  4. # Copyright (c) 2001, TundraWare Inc., All Rights Reserved.
  5. # See the accompanying file called, abck-License.txt
  6. # for Licensing Terms
  7.  
  8.  
  9.  
  10. ##########
  11.  
  12. VERSION = "$Id: abck,v 1.98 2001/07/27 05:46:32 tundra Exp $"
  13.  
  14.  
  15.  
  16. ####################
  17. # Imports
  18. ####################
  19.  
  20. import commands
  21. import exceptions
  22. import getopt
  23. import os
  24. import re
  25. import sys
  26. import socket
  27. import time
  28.  
  29. ####################
  30. # Booleans
  31. ####################
  32.  
  33. FALSE = 0 == 1
  34. TRUE  = not FALSE
  35.  
  36. DONE  = FALSE
  37.  
  38. ####################
  39. # General Constants
  40. ####################
  41.  
  42. ANS  = ";; ANSWER SECTION:"
  43. AUTH = ";; AUTHORITY SECTION:"
  44. DLEN = 24*60*60
  45. DIG  = "dig -t ptr -x "
  46. HIST = ".abck_history"
  47. HISTFILE = os.path.join(os.getenv("HOME"), HIST)
  48. LOG = "/var/log/messages"
  49. MOS = ["", "Jan", "Feb", "Mar", "Apr", "May", "Jun",
  50.        "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"]
  51. WHO = "whois "
  52.  
  53. ####################
  54. # Constants Used In Outgoing eMail
  55. ####################
  56.  
  57. HOSTNAME = socket.gethostname()
  58. HOSTADDR = socket.gethostbyname(HOSTNAME)
  59. HOSTTZ   = time.tzname
  60. NOTIFYWHO = ("abuse", "root")
  61. ORG = os.getenv("ORGANIZATION")
  62. SUBJ = "\"Attempted Intrusion Attempt\""
  63.  
  64. MAILCMD = "mail -s %s" % (SUBJ)
  65.  
  66. MAILMSG = "An *unauthorized* attempt to access one of our computers\n" + \
  67.           "has been detected originating from your address space/domain.\n\n" + \
  68.           "Our machine, %s, has IP address,\n%s, and is located in the " + \
  69.           "%s Time Zone.\n\n" + \
  70.           "Our log entry documenting the attempted intrusion\n" + \
  71.           "from your address space/domain, follows:\n\n%s\n\n" + \
  72.           "Please take the necessary steps to remedy this situation.\n" + \
  73.           "Thank-You\n" + ORG + "\n"
  74.  
  75.  
  76. ####################
  77. # Prompt And Message Strings
  78. ####################
  79.  
  80.  
  81. PROMPT = "\nLog Record:\n%s\n\nWho Gets Message For: <%s>? %s[%s] "
  82.  
  83. USAGE = "abck " + VERSION.split()[2] + " " + \
  84.         "Copyright (c) 2001, TundraWare Inc.  All Rights Reserved.\n" + \
  85.         " usage:\n" + \
  86.         "   abck [-d # days to look back]\n" + \
  87.         "        [-e except string]\n" + \
  88.         "        [-m match string]\n" + \
  89.         "        [-s Show, but do not process matching records]\n"
  90.  
  91.  
  92. ####################
  93. # Data Structures
  94. ####################
  95.  
  96. # Dictionary of keywords indicating attack, and position of host address/name
  97. # in their log records
  98.  
  99. AttackKeys = {
  100.               "refused" : 8,
  101.               "unauthorized" : 7
  102.              }
  103.  
  104. # Cache dictionary of all attacking hosts discovered this run of the program
  105.  
  106. NameCache = {}
  107.  
  108.  
  109. ####################
  110. # Globals
  111. ####################
  112.  
  113. Processed = []
  114.  
  115. ####################
  116. # Regular Expression Handlers
  117. ####################
  118.  
  119. # Regular Expression which describes a legit IP quad address
  120.  
  121. IPQuad   = r"(\d{1,3}\.){3}\d{1,3}$"
  122.  
  123. ####################
  124. # Classes
  125. ####################
  126.  
  127. # Signify that the record under consideration is to be
  128. # permanently forgotten
  129.  
  130. class ForgetRecord(exceptions.Exception):
  131.     def __init__(self, args=None):
  132.         self.args = args
  133.  
  134.  
  135. # Signify that the user want to quit the program
  136.  
  137. class QuitAbck(exceptions.Exception):
  138.     def __init__(self, args=None):
  139.         self.args = args
  140.  
  141.  
  142.  
  143. ####################
  144. # Function Definitions
  145. ####################
  146.  
  147. # Return the ending substring of a host name with 'depth' number of dots
  148. # in it
  149.  
  150. def HostDepth(host, depth=2):
  151.  
  152.     # Break the address down into components
  153.     components = host.split(".")
  154.  
  155.     # And return the recombined pieces we want
  156.     return '.'.join(components[-depth:])
  157.  
  158.  
  159. ####################
  160.  
  161. # Check a name, see if it's an IP quad, and if so, return reverse.
  162. # If not, return the original name.
  163. #
  164. # This is better than a socket.gethostbyaddr() call because
  165. # this will return the authority information for an address
  166. # if no explicit reverse resolution is found.
  167.  
  168. def CheckIPReverse(hostquad):
  169.     
  170.     # If it's an IP address in quad form, reverse resolve it
  171.     if re.match(IPQuad, hostquad):
  172.  
  173.         DIGResults = commands.getoutput(DIG + hostquad).splitlines()
  174.  
  175.         ansname = ""
  176.         authname = hostquad
  177.         # Results must either have an Answer or Authority record
  178.         if ( DIGResults.count(ANS) + DIGResults.count(AUTH)):
  179.  
  180.             i = 0
  181.             while i < len(DIGResults):
  182.  
  183.                 if DIGResults[i].startswith(ANS):
  184.                     ansname = DIGResults[i+1].split()[4]
  185.  
  186.                 if DIGResults[i].startswith(AUTH):
  187.                     authname = DIGResults[i+1].split()[-2]
  188.  
  189.                 i += 1
  190.  
  191.         if ansname:
  192.             hostname = ansname
  193.         else:
  194.             hostname = authname
  195.  
  196.         # Get rid of trailing dot, if any
  197.         if hostname[-1] == '.':
  198.             hostname = hostname[:-1]
  199.  
  200.     else:
  201.         hostname = hostquad
  202.         
  203.     return hostname
  204.  
  205.  
  206. ####################
  207.  
  208. # Notify the responsible authority about the attempted intrusion
  209.  
  210. def Notify(logrecord, domain):
  211.     dest=[]
  212.     logrecord = "\"" + logrecord + "\""
  213.     msg = (MAILMSG % (HOSTNAME, HOSTADDR, "/".join(HOSTTZ), logrecord))
  214.     for x in NOTIFYWHO:
  215.         dest.append(x + "@" + domain)
  216.     dest.append("root@" + HOSTNAME)
  217.     os.popen(MAILCMD + " " + " ".join(dest), "w").write(msg)
  218.     
  219.  
  220. ####################
  221.  
  222. # Paw through a log record, doing any reverse resolution needed,
  223. # confirm with user, and return name of the host to notify about
  224. # the instrusion attempt.  A null return means the user want to
  225. # skip this record.
  226.  
  227.  
  228. def ProcessLogRecord(logrecord, NOMATCH, SHOWONLY):
  229.  
  230.     # Check for each known attack keyword
  231.  
  232.     sendto = ""
  233.     for attackkey in AttackKeys.keys():
  234.  
  235.         logfield = logrecord.split()
  236.         if logrecord.count(attackkey):
  237.  
  238.             # Even if it is a legitimate attack record,
  239.             # we do not process it if it contains text
  240.             # the user does not want matched.
  241.  
  242.             if NOMATCH and logrecord.count(NOMATCH):
  243.                 break
  244.  
  245.             if SHOWONLY:
  246.                 print logrecord
  247.                 break
  248.         
  249.             # Different attack records put the hostquad in different places
  250.             hostquad =  logfield[AttackKeys[attackkey]]
  251.             if hostquad[-1] == ',':
  252.                 hostquad = hostquad[:-1]         # Strip trailing dots
  253.  
  254.             # Go do a reverse resolution if we need to
  255.             hostname = CheckIPReverse(hostquad)
  256.  
  257.             # Check for the case of getting a PTR record back
  258.             hostname = ReversePTR(hostname)
  259.  
  260.             # Check if we've seen this abuser before
  261.             if NameCache.has_key(hostname):
  262.                 sendto = NameCache[hostname]
  263.  
  264.             # New one
  265.             else:
  266.                 originalname = hostname
  267.                 depth = 2
  268.                 DONE=FALSE
  269.                 while not DONE:
  270.  
  271.                     # Set depth of default response
  272.                     default = HostDepth(hostname, depth)
  273.  
  274.                     # Ask the user about it
  275.                     st = raw_input(PROMPT % (logrecord, originalname[-40:],
  276.                                              " " * (40 - len(originalname)),
  277.                                    default))
  278.  
  279.                     # Parse the response
  280.  
  281.                     if st.lower() == "f":      # Forget this record forever
  282.                         raise ForgetRecord     # Raise error as the way back
  283.  
  284.                     elif st.lower() == "l":    # More depth in recipient name
  285.                         if depth < len(hostname.split('.')):
  286.                              depth += 1
  287.  
  288.                     elif st.lower() == "q":    # Quit the program
  289.                         raise QuitAbck
  290.  
  291.                     elif st.lower() == "r":    # Less depth in recipient name
  292.                         if depth > 2:
  293.                             depth -= 1
  294.  
  295.                     elif st.lower() == "s":    # Skip this record
  296.                         sendto = ""
  297.                         DONE = TRUE
  298.  
  299.                     elif st.lower() == "w":    # Run a 'whois' on 'em
  300.                         print commands.getoutput(WHO + hostquad)
  301.  
  302.  
  303.                     else:
  304.                         if st:                 # User keyed in their own recipient
  305.                             hostname = st
  306.                         else:                  # User accepted the default
  307.                             sendto = default
  308.                             DONE = TRUE
  309.                         
  310.                 NameCache[originalname] = sendto  # Cache it
  311.             
  312.     return sendto
  313.  
  314. ####################
  315.  
  316. # Check the passed hostname and see if it looks like a PTR record.
  317. # If so, strip out the address portion, reverse it, and trying
  318. # doing another reverse lookup.  If not, just return the original hostname.
  319.  
  320. def ReversePTR(hostname):
  321.  
  322.     tmp = hostname.split("in-addr.arpa")
  323.  
  324.     if len(tmp) > 1:                       # Looks like a PTR record
  325.  
  326.         tmp = tmp[0].split('.')            # Get addr components
  327.         tmp.reverse()                      # and reverse their order
  328.         # Take the 1st four quads (some PTR records have more)
  329.         # and see if we can dig out a reverse.
  330.         hostname = CheckIPReverse('.'.join(tmp[1:5]))
  331.  
  332.     return hostname
  333.  
  334.  
  335. #------------------------- Program Entry And Mail Loop -----------------------#
  336.  
  337.  
  338.  
  339. # Program entry and command line processing
  340.  
  341. try:
  342.     opts, args = getopt.getopt(sys.argv[1:], '-d:e:m:s')
  343. except getopt.GetoptError:
  344.     print USAGE
  345.     sys.exit(2)
  346.     
  347. OLDEST   = 0
  348. MATCH    = ""
  349. NOMATCH  = ""
  350. SHOWONLY = FALSE
  351.  
  352. for opt, val in opts:
  353.     if opt == "-d":
  354.         OLDEST = time.time() - (int(val) * DLEN)
  355.     if opt == "-e":
  356.         NOMATCH = val
  357.     if opt == "-m":
  358.         MATCH = val
  359.     if opt == "-s":
  360.         SHOWONLY = TRUE
  361.  
  362.  
  363. # Read the log into a list
  364.  
  365. f = open(LOG, "r")
  366. logfile = [x for x in f.read().splitlines()]
  367. f.close()
  368.  
  369. # Remove any previously handled log events from further consideration
  370. # unless all we're doing is showing records.  In that case, show
  371. # all records that match, even if we've already processed them.
  372.  
  373. if not SHOWONLY:
  374.     if os.path.exists(HISTFILE):
  375.         f = open(HISTFILE, "r")
  376.         for histrec in f.read().splitlines():
  377.             if logfile.count(histrec):
  378.                 logfile.remove(histrec)
  379.     f.close()
  380.  
  381.  
  382. # Examine, and possibly process, each record in the log
  383. for logrecord in logfile:
  384.  
  385.     # Check to see whether this record should even be
  386.     # processed.
  387.  
  388.     DOIT = TRUE
  389.     # Did user limit how far back to look?
  390.     if OLDEST:
  391.         # Parse the record's time into into a list
  392.         logfields = logrecord.split()
  393.         logtime = logfields[2].split(":")
  394.         EventTime = [None, logfields[0], logfields[1],
  395.                      logtime[0], logtime[1], logtime[2]]
  396.  
  397.         # Figure out what year - not in the log explicitly
  398.         # We do this by comparing the Month in the log entry
  399.         # against today's month.  We get away with this so long
  400.         # as the log never is allowed to get so big that it has
  401.         # entries over a year old in it. (Which should be the case
  402.         # for any reasonably administered system.
  403.         
  404.         lt = time.localtime()
  405.         logyear = int(lt[0])
  406.         if MOS.index(EventTime[1]) > int(lt[1]): # Log shows a later month
  407.             logyear -= 1                         # 'Must be last year
  408.         EventTime[0] = str(logyear)
  409.         
  410.         # Don't process if older than the oldest allowed
  411.         if time.mktime(time.strptime("%s %s %s %s %s %s" % tuple(EventTime),
  412.                                 "%Y %b %d %H %M %S")) < OLDEST:
  413.             DOIT = FALSE
  414.  
  415.     # Did user specify a selection matching string?
  416.     if not logrecord.count(MATCH):
  417.         DOIT = FALSE
  418.  
  419.     # If we passed all those tests, it's time to process this record.
  420.     if DOIT:
  421.         try:
  422.             sendto = ProcessLogRecord(logrecord, NOMATCH, SHOWONLY)
  423.         except (ForgetRecord):
  424.             Processed.append(logrecord)
  425.         except (QuitAbck):
  426.             sys.exit()
  427.         else:
  428.             # If we get a non-null string back, we need to let someone know
  429.             # about the attempted intrusion
  430.             if sendto:
  431.                 Notify(logrecord, sendto)
  432.                 Processed.append(logrecord)
  433.  
  434. if os.path.exists(HISTFILE):
  435.     f = open(HISTFILE, "a")
  436. else:
  437.     f = open(HISTFILE, "w")
  438.  
  439. for x in Processed:
  440.     f.write(x + "\n")
  441. f.close()
  442.  
  443.