diff --git a/abck.1 b/abck.1 new file mode 100644 index 0000000..e3c1d01 --- /dev/null +++ b/abck.1 @@ -0,0 +1,108 @@ +.TH abck 1 TundraWare +.SH NAME +abck \- Process intrusion attempts found in the system log. +.SH SYNOPSIS +abck [-dems] +.SH DESCRIPTION +\'abck\' is part of the \'abmgmt\' toolkit. It reads through +/var/log/messages looking for evidence of an intrusion attempt. Upon +finding such a record, \'abck\' qualifies it against information +supplied by the user on the command line to determine if the record is +to be processed. + +\'abck\' determines whether the record contains the name or IP address +of the source of the attack. If it finds an IP address, it will attempt +to reverse the address into a name. If it cannot find a legitimate +reverse, it will try to find the authority responsible for that +addess. + +Each matching record is presented to the user. The user can do a +\'whois \' lookup on the record, pick or edit an domain name that will +be notified about the attack attempt, or skip the record entirely. + +As \'abnot\' runs, each processed record that the user does not +skip is written to an output shell script called \'ABUSERS\'. When +\'abck\' has finished, the user can then run this script (\'sh ABUSERS\') +to actually notify the responsible domains of the intrusion attempts. + +\'ABUSERS\' calls another script, \'abnot\' to actually send the notification +email. + +.SH OPTIONS +.TP +.B -d # +Only go back # days in the log. +.TP +.B -e string +Only process attack records which do not contain \'string\'. +.TP +.B -m string +Only process attack records if they contain \'string\'. +.TP +.B -s +Don't actually process the matching records, just display them. + +.SH RECORD PROCESSING +Each time the record of an intrusion attempt is found which matches +the command line-selected constraints, it is presented to the user +for disposition. A typical prompt looks like this: + +.nf +Log Record: + Matching log entry found in /var/log/messages + +Who Gets Message For: ? [horseplay.edu] +.fi + +Pressing \'Enter\' accepts the default notification destination +of \'horseplay.edu\', a corresponding command is written to \'ABUSERS\', +and \'abck\' moves on to the next log entry. + +The user can also issue a number of commands at the prompt to do +further lookups on the attacker or modify the domain to be notified. + +.TP +.B l +Move left one subdomain in the default destination. + +.TP +.B r +Move right one subdomain in the default destination. \'abck\' will +prevent the user from doing this beyond the point there are less than +two domains showing. (A user can enter a destination with only one +level of domain manually. This is useful for testing because it +allows \'localhost\' to be entered as the point of notification.) + +.TP +.B s +Skip this record entirely. + +.TP +.B w +Run a \'whois\' lookup on the address/name found in the original log +entry. This is helpful when reverse lookups fail and may provide +further information about the origin of the attack. + +.TP +.B Any other string +Replace the current default destination with this string. + + +.SH OTHER +You must have a reasonably current copy of 'python' installed for \'abck\' +to operate. Also, the \'dig\' and \'whois\' programs must be on the system +in a directory somewhere in $PATH. + +.SH BUGS AND MISFEATURES +None known as of this release. + +.SH COPYRIGHT AND LICENSING +abck is Copyright(c) 2001, TundraWare Inc. +For terms of use, see the ABMGMT-License.txt file in the program distribution. +If you install abck on a FreeBSD system using the 'ports' mechanism, you will +also find this file in /usr/local/share/doc/abmgmt. +.SH AUTHOR +.nf +Tim Daneliuk +tundra@tundraware.com +