Bug 48444 - [patch] security.functions: count connection attempts instead of listing them
Summary: [patch] security.functions: count connection attempts instead of listing them
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 4.7-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-02-18 22:20 UTC by Alan Batie
Modified: 2017-12-31 22:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Batie 2003-02-18 22:20:04 UTC
	These days you get so many "door knockings" that listing them
	amounts to information overload.  What you really want to see is
	who's doing how much door knocking so you can see where problems
	really lie.  This patch implements that optionally if the
	variable "daily_status_security_port_counts" enables it.  Currently,
	you can completely ignore certain host/port combinations by setting
	them in the code; probably this should be done with some more
	variables, but that's a low priority TBD.

Fix: 

/etc/periodic/security/port_count:

#!/usr/local/bin/perl
eval 'exec /usr/local/bin/perl -S $0 ${1+"$@"}'
    if $running_under_some_shell;

#
#  Count connection attempt log entries by protocol and port
#
# Feb 11 03:02:21 agora /kernel: Connection attempt to TCP 199.26.172.34:119
#     from 129.250.35.205:52776
#

#
#  Ignore proto:ip:port (proto = TCP|UDP)
#

#$ignore_dest{"UDP:127.0.0.1:512"} = 1;
$ignore_src{"UDP:199.26.172.34:53"} = 1;

#
#  Don't bother printing out a count unless it's over this:
#
$threshold = 1;

if ($#ARGV != 0) {
    print "Usage: $0 logfile\n";
    print join(":", @ARGV), "\n";
    exit 1;
}

if ($ARGV[0] eq "-") {
    open(LOG, "<&STDIN") || die "Can't copy stdin: $!\n";
} else {
    open(LOG, "<$ARGV[0]") || die "Can't open '$ARGV[0]': $!\n";
}

LOGLOOP:
while (<LOG>) {
    chomp;
    $line = $_;

    ($d1,$d2,$d3,$proto,$dest,$d4,$src) = split(' ');

    # skip corrupt lines
    next if ($d1 ne "Connection" || $d2 ne "attempt" || $d3 ne "to" ||
		$d4 ne "from" || ($proto ne "TCP" && $proto ne "UDP"));

    ($di1,$di2,$di3,$di4) = split(/\./, $dest);
    ($di4,$dp) = split(/:/, $di4);
    ($si1,$si2,$si3,$si4) = split(/\./, $dest);
    ($si4,$sp) = split(/:/, $si4);

    foreach $i ($di1,$di2,$di3,$di4,$si1,$si2,$si3,$si4) {
	next LOGLOOP if ($i eq "" || $i < 0 || $i > 255);
    }
    next if ($dp < 0 || $dp > 65535);
    next if ($sp < 0 || $sp > 65535);

    # skip specified entries
    next if defined $ignore_dest{"$proto:$dest"};
    next if defined $ignore_src{"$proto:$src"};

    $tally{"$proto:$dest"}++;
}

close(LOG);

foreach $i (sort { $tally{$a} <=> $tally{$b} } keys(%tally)) {
    if ($tally{$i} > $threshold) {
	print "$i - $tally{$i}\n";
    }
}

exit 0;--qj2j5UzgfitFUNcXoTtVRdvXc7nKcGl8XPKS5net21nRKN8B
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

Index: security.functions
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/security.functions,v
retrieving revision 1.1.2.2
diff -c -r1.1.2.2 security.functions
*** security.functions	19 Nov 2002 19:00:39 -0000	1.1.2.2
--- security.functions	18 Feb 2003 22:03:58 -0000
***************
*** 53,59 ****
  
    if [ "${tmpf}" = "-" ]; then
      tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
!     cat > ${tmpf}
    fi
  
    if [ ! -f ${LOG}/${label}.today ]; then
--- 53,80 ----
  
    if [ "${tmpf}" = "-" ]; then
      tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
!     tmpf2=`mktemp ${TMPDIR:-/tmp}/security2.XXXXXXXXXX`
!     tmpcons=`mktemp ${TMPDIR:-/tmp}/conns.XXXXXXXXXX`
! 
!     case "$daily_status_security_port_counts" in
!       [Yy][Ee][Ss])
! 	cat > ${tmpf2}
! 	grep "Connection attempt" ${tmpf2} > ${tmpcons}
! 	if [ -s ${tmpcons} ]
! 	then
! 	  grep -v "Connection attempt" ${tmpf2} > ${tmpf}
! 	  echo ""
! 	  echo "Connection attempts:"
! 	  echo ""
! 	  /etc/periodic/security/port_count ${tmpcons}
! 	fi
!         rm -f ${tmpf2} ${tmpcons}
! 	;;
! 
!       *)
! 	cat > ${tmpf}
! 	;;
!     esac
    fi
  
    if [ ! -f ${LOG}/${label}.today ]; then
How-To-Repeat: 	Read your daily security email on a publicly connected system
	set to log connection attempts to ports with no listeners.
Comment 1 Giorgos Keramidas freebsd_committer 2003-02-21 02:26:24 UTC
I do agree that listing all of ipfw's output can be overwhelming at
times.  Since the perl script of the PR only works for IPFW, here's an
addition that will probably look interesting to ipfilter users.  I'm
using the following locally to check for ports that ipfilter has
blocked and logged:

: #!/bin/sh
: # $RCS: scripts/listports.sh,v 1.1 2003/01/22 01:14:06 giorgos Exp $
: # List all the ports that ipfilter has blocked and logged,
: # ordered by number of hits.
:
: echo "    RANK    HITS    PORT"
: grep "`date '+%b %e'`" /var/log/messages |\
: egrep -e '(ppp|tun)[0-9]+ .* b ' |\
: sed -e 's/^.*,.*,//' -e 's/ .*$//' |\
: sort | uniq -c | sort -r -k 1 | \
: awk '{ printf "%10d %10d %10d\n", NR, $1, $2 }'

The output is similar to (trimmed to keep this a bit short):

: # sh listports.sh | head -6
:       RANK       HITS       PORT
:          1         32        137
:          2         15         80
:          3         11       1214
:          4         11       1080
:          5          8         81

Does this look like an interesting addition to periodic/security too?
Comment 2 alan 2003-02-21 04:57:30 UTC
On Fri, Feb 21, 2003 at 04:26:24AM +0200, Giorgos Keramidas wrote:
> : # sh listports.sh | head -6
> :       RANK       HITS       PORT
> :          1         32        137
> 
> Does this look like an interesting addition to periodic/security too?


I'm not familiar with ipfilter's output, but if possible, I would
recommend ranking by source-ip:port, so that you can tell if someone
in particular is hammering you.  On the other hand, a DDOS attempt
would be better shown by an aggregate, and if you see a high count, you
can always go look at the log for the addresses, so I'll leave it to
you guys which way you think is best...

-- 
Alan Batie                   ______    alan.batie.org                Me
alan at batie.org            \    /    www.qrd.org         The Triangle
PGPFP DE 3C 29 17 C0 49 7A    \  /     www.pgpi.com   The Weird Numbers
27 40 A5 3C 37 4A DA 52 B9     \/      spamassassin.taint.org  NO SPAM!
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:19 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped