diff --git a/abck b/abck index c005040..6179c04 100755 --- a/abck +++ b/abck @@ -1,17 +1,15 @@ #!/usr/local/bin/python # -# abck - Part of the ABMGMT package from TundraWare Inc. +# abck - Examine and report on unauthorized intrusion attempts. # Copyright (c) 2001, TundraWare Inc., All Rights Reserved. -# See the accompanying file called, 1-ABMGMT-License.txt +# See the accompanying file called, abck-License.txt # for Licensing Terms -# -# Build a report of all unauthorized access attempts -# -# Usage: abck [-d date offset] -e [Except String] -s [Match String] + + ########## -VERSION = "$Id: abck,v 1.94 2001/07/19 01:18:19 tundra Exp $" +VERSION = "$Id: abck,v 1.95 2001/07/27 01:45:24 tundra Exp $" @@ -21,8 +19,10 @@ import commands import getopt +import os import re import sys +import socket import time #################### @@ -35,20 +35,41 @@ DONE = FALSE #################### -# Constants And Literals +# Constants #################### ANS = ";; ANSWER SECTION:" AUTH = ";; AUTHORITY SECTION:" DLEN = 24*60*60 DIG = "dig -t ptr -x " +HIST = ".abck_history" +HISTFILE = os.path.join(os.getenv("HOME"), HIST) +HOSTNAME = socket.gethostname() +HOSTADDR = socket.gethostbyname(HOSTNAME) +HOSTTZ = time.tzname LOG = "/var/log/messages" MOS = ["", "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"] -OUT = "./ABUSERS" +NOTIFYWHO = ("abuse", "root") +ORG = os.getenv("ORGANIZATION") PROMPT = "\nLog Record:\n%s\n\nWho Gets Message For: <%s>? %s[%s] " WHO = "whois " +#################### +# Prompt And Message Strings +#################### + + +MAILMSG = "An *unauthorized* attempt to access one of our computers\n" + \ + "has been detected originating from your address space/domain.\n\n" + \ + "Our machine, %s, has IP address,\n%s, and is located in the " + \ + "%s Time Zone.\n\n" + \ + "Our log entry documenting the attempted intrusion\n" + \ + "from your address space/domain, follows:\n\n\"%s\"\n\n" + \ + "Please take the necessary steps to remedy this situation.\n" + \ + "Thank-You\n" + ORG + "\n" + + USAGE = "abck " + VERSION.split()[2] + " " + \ "Copyright (c) 2001, TundraWare Inc. All Rights Reserved.\n" + \ " usage:\n" + \ @@ -74,6 +95,13 @@ NameCache = {} + +#################### +# Globals +#################### + +Processed = [] + #################### # Regular Expression Handlers #################### @@ -97,6 +125,7 @@ # And return the recombined pieces we want return '.'.join(components[-depth:]) + #################### # Check a name, see if it's an IP quad, and if so, return reverse. @@ -146,6 +175,23 @@ #################### +# Notify the responsible authority about the attempted intrusion + +def Notify(logrecord, domain): + dest=[] + msg = (MAILMSG % (HOSTNAME, HOSTADDR, "/".join(HOSTTZ), logrecord)) + for x in NOTIFYWHO: + dest.append(x + "@" + domain) + dest.append("root@" + HOSTNAME) + + print msg + print dest + + + + +#################### + # Paw through a log record, doing any reverse resolution needed, # confirm with user, and return name of the host to notify about # the instrusion attempt. A null return means the user want to @@ -279,13 +325,25 @@ SHOWONLY = TRUE -# Loop through the log, processing matching records +# Read the log into a list -logfile = open(LOG) -abuserfile = open(OUT, "w") +f = open(LOG, "r") +logfile = [x for x in f.read().splitlines()] +f.close() -# Read in the whole log logfileile -for logrecord in logfile.read().splitlines(): +# Remove any previously handled log events from further consideration + +if os.path.exists(HISTFILE): + f = open(HISTFILE, "r") + for histrec in f.read().splitlines(): + if logfile.count(histrec): + logfile.remove(histrec) + f.close() + + + +# Examine, and possibly process, each record in the log +for logrecord in logfile: # Check to see whether this record should even be # processed. @@ -324,9 +382,20 @@ # If we passed all those tests, it's time to process this record. if DOIT: sendto = ProcessLogRecord(logrecord, NOMATCH, SHOWONLY) - if sendto: - abuserfile.write("abnot \"" + logrecord + "\" " + - sendto + "\n") -logfile.close() -abuserfile.close() + # If we get a non-null string back, we need to let someone know + # about the attempted intrusion + if sendto: + Notify(logrecord, sendto) + Processed.append(logrecord) + +if os.path.exists(HISTFILE): + f = open(HISTFILE, "a") +else: + f = open(HISTFILE, "w") + +for x in Processed: + f.write(x + "\n") +f.close() + +