diff --git a/abck.1 b/abck.1 index e3c1d01..6ef55ce 100644 --- a/abck.1 +++ b/abck.1 @@ -4,29 +4,52 @@ .SH SYNOPSIS abck [-dems] .SH DESCRIPTION -\'abck\' is part of the \'abmgmt\' toolkit. It reads through +\'abck\' is an interactive tool to examine intrusion attempts and +decide what, if anything, to do about them. It reads through /var/log/messages looking for evidence of an intrusion attempt. Upon finding such a record, \'abck\' qualifies it against information supplied by the user on the command line to determine if the record is -to be processed. +to be processed. As packaged, \'abck\' handles several common types +of intrusion attempt records, but it can easily be expanded to handle +others. \'abck\' determines whether the record contains the name or IP address -of the source of the attack. If it finds an IP address, it will attempt -to reverse the address into a name. If it cannot find a legitimate -reverse, it will try to find the authority responsible for that -addess. +of the source of the attack. If it finds an IP address, it will +attempt to reverse the address into a name. If it cannot find a +legitimate reverse, it will try to find the authority responsible for +that address. Each matching record is presented to the user. The user can do a -\'whois \' lookup on the record, pick or edit an domain name that will -be notified about the attack attempt, or skip the record entirely. +\'whois \' lookup on the record, pick or edit the domain name that +will be notified about the attack attempt, permanently forget the +record without processing it, skip the record, or quit the +program. -As \'abnot\' runs, each processed record that the user does not -skip is written to an output shell script called \'ABUSERS\'. When -\'abck\' has finished, the user can then run this script (\'sh ABUSERS\') -to actually notify the responsible domains of the intrusion attempts. +Once the user has selected the domain to be notified (i.e., they +did not skip or forget a given record), \'abck\' formats and sends an +email to the \'abuse\' and \'root\' accounts at that domain, notifying +them of the intrusion attempt. This email is also sent to the +\'root\' user on the machine that was invaded. The email contains all +the relevant information about the machine which was attacked and +appends a copy of the log record containing evidence of the attempt. -\'ABUSERS\' calls another script, \'abnot\' to actually send the notification -email. +Very often, an intruder will try several different means of entry, +thereby generating multiple log events. This is common, for example, +if an attacker is running a port scanning program. As \'abck\' runs , +it keeps track of the attackers for which the user sends a +notification email. (The user may not necessarily send an email for +each and every intrusion attempt.) If \'abck\' sees this intruder's +host name/address again later in the log, it will automatically send +the notification to the same place as the user originally selected +without any user interaction. + +\'abck\' keeps track of the records that the user has either processed +(by sending an email notification) or \'forgotten\' (see below). +These records will not appear again in subsequent invocations of +\'abck\' (except with the \-s option; all matching records are +displayed, even if they've previously been processed). This +information is kept in $HOME/.abck_history. + .SH OPTIONS .TP @@ -54,18 +77,37 @@ Who Gets Message For: ? [horseplay.edu] .fi -Pressing \'Enter\' accepts the default notification destination -of \'horseplay.edu\', a corresponding command is written to \'ABUSERS\', -and \'abck\' moves on to the next log entry. + +Pressing \'Enter\' accepts the default notification destination of +\'horseplay.edu\'. Email is thus sent to \'abuse@horseplay.edu\', +\'root@horseplay.edu\', and \'root@local.machine...\'. \'abck\' then +moves on to the next log entry. + +Notice that this is the only way to actually send a notification +email. The commands below allow the user to modify the notification +domain, but only when the user responds with a blank line, will email +actually be sent. The user can also issue a number of commands at the prompt to do further lookups on the attacker or modify the domain to be notified. .TP +.B f + +Forget this record entirely without processing it. This means it will +not show up again in subsequent runs of \'abck\'. + +.TP .B l Move left one subdomain in the default destination. .TP +.B q +Quit the program. This causes an immediate exit. No history +information is written to disk, even if some records have been +processed and notification sent. + +.TP .B r Move right one subdomain in the default destination. \'abck\' will prevent the user from doing this beyond the point there are less than @@ -75,7 +117,8 @@ .TP .B s -Skip this record entirely. +Skip this record for now. The next time \'abck\' is run, this record +will be presented the user again for disposition. .TP .B w @@ -85,9 +128,47 @@ .TP .B Any other string -Replace the current default destination with this string. +Replace the current default domain to notify with this string. +.SH HOW \'abck\' DECIDES WHETHER A RECORD INDICATES ATTACK + +As \'abck\' scans the system log, it looks for two keywords: +\'refused\' and \'unauthorized\'. If it finds any of these keywords +anywhere in a given log record, it presents that record to the user +for disposition. + +You can trivially add other \'trigger words\' to the list of +things \'abck\' looks for as signs of intrusion. Suppose you +have an intrusion detection program which writes log records like this: + +.nf +Jul 27 00:27:35 eskimo inetd[56691]: Intruder saddle.horseplay.edu foiled +.fi + +To get \'abck\' to present records like this to the user for disposition, +you only need two things. First, you need a unique trigger word that +only appears in records of this type, say, \'foiled\'. Then, you need +to know which field within that record contains either the host name or +IP address of the attacker. The first field is 0, so in this example, +it would be field 7. + +To get \'abck\' to recognize this type of record, merely add this +information to the +.B AttackKeys +data structure in the program. This +is a Python dictionary, so all entries are of the form: + +.nf +"keyword" : Fieldnum, +.fi + + +.SH FILES + +.B $HOME/.abck_history +\- History of all records user has either processed or forgotten. + .SH OTHER You must have a reasonably current copy of 'python' installed for \'abck\' to operate. Also, the \'dig\' and \'whois\' programs must be on the system @@ -98,9 +179,9 @@ .SH COPYRIGHT AND LICENSING abck is Copyright(c) 2001, TundraWare Inc. -For terms of use, see the ABMGMT-License.txt file in the program distribution. +For terms of use, see the abck-License.txt file in the program distribution. If you install abck on a FreeBSD system using the 'ports' mechanism, you will -also find this file in /usr/local/share/doc/abmgmt. +also find this file in /usr/local/share/doc/abck. .SH AUTHOR .nf Tim Daneliuk