Secwatch
version 0.3Secwatch
version 0.3Log file based IDS
Copyright © 2006
Nic Stevens. nic daht stevens aht gee mail daht com
Please see
COPYING for licensing information.
This
release is a beta release. I have tested it on a few systems and have
had no problems. Your millage may vary.
(For a sneak-peek at version 0.4 see secwatch-0.4)
Requirements
A UNIX or UNIX like Operating System
Root access to the system
PHP 4.3.0 or higher.
General
Secwatch is a php
CLI script which forks and detaches itself from the terminal when
run.
Secwatch looks in configured log files by reading new
lines added to that file and testing them against a list of patterns.
Each pattern contains a log file name and two match strings
along with a position number. If the first match string is found in
the specified log file the second match string is tested and, if
matched, the IP address found in the positional parameter is
recorded.
If the IP address recorded reaches a threshold
number of entries it will be banned for a configurable period of
time.
Installation
On most UNIX Systems,
Secwatch MUST be installed by root as viewing of log files and
manipulation of firewalls must be done by the superuser. It's
possible to run Secwatch as a setuid program but I don't recommend
it.
To install Secwatch, get the latest source archive. Unpack
the archive. This should give you a new directory called
secwatch-x.x. Chdir to this directory and run:
./install.sh
Now that Secwatch is installed you can configure it.
Configuration
Configuration is a simple file of name=value pairs with
comments delimited by pound signs (#).
This is a list of the
configuration directives:
|
workdir |
The directory in which various working files are read from or stored |
|
patterns |
list of log files and patterns to match (see below) |
|
firewall |
The firewall rule definitions (see below) |
|
banlist |
The list of IP's banned and their time of banning |
|
pidfile |
File to store the pid of the running daemon |
|
maxatt |
Maximum attempts an IP may have before being blocked |
|
maxage |
Maximum age, in minutes, to hold dropped IPs |
|
mailto |
Who to mail a dropped IP report to |
|
logpri |
syslog priority used for logging of events |
|
logfacility |
syslog facility to use for logging |
|
fork |
True or False indicating wheter to run the program as a daemon or foreground (true) |
This is a list
of syslog priority and facility codes:
|
Config Code |
Priority Constant |
Config Code |
Facility Constant |
|
alert |
LOG_ALERT |
auth |
LOG_AUTH |
|
crit |
LOG_CRIT |
authpriv |
LOG_AUTHPRIV |
|
debug |
LOG_DEBUG |
cron |
LOG_CRON |
|
emerg |
LOG_EMERG |
daemon |
LOG_DAEMON |
|
err |
LOG_ERR |
kern |
LOG_KERN |
|
info |
LOG_INFO |
|
LOG_MAIL |
|
notice |
LOG_NOTICE |
news |
LOG_NEWS |
|
warning |
LOG_WARNING |
syslog |
LOG_SYSLOG |
|
user |
LOG_USER |
||
|
uucp |
LOG_UUCP |
||
|
local0-7 |
LOG_LOCAL0-LOG_LOCAL7 |
Command line Options
|
-c file |
Location of configuration file |
|
-d dir |
Working directory (Will override the config file) |
|
-m age |
Maximum age, in minutes, to block IP |
|
-f |
Do not fork to background when running |
|
-h |
Display help list. |
Pattern
File Specification
The pattern file consists of one or more lines in the format of
logfile:match1:match2@ippos
Where logfile is the full pathname to the logfile. Logfile may be a simple fully qualified pathname of the log file or a modified regular expression. If the pattern starts with "//" and ends with "/" it will have it’s slashes escaped, other than the leading and trailing slashed and be evaluated as a regular expression.
Example:
//var/log/messages|secure/
will match both
/var/log/messages
and
/var/log/secure.
If the log files specified does not have the leading // and trailing / it will be evaulated as a simple equality test.
If the logfile expression is matched then the next facility expression must be matched. If This expression has a leading and trailing match the expression is treated as a regular expression otherwise a simple equality test is performed. Finally The log expression (logexp) will be checked. If logexp has a leading and trailing match the expression is treated as a regular expression otherwise a simple equality test is performed. If both matches are successful the IP address of the offending line is saved and if it reaches maxatt attempts it will be fire walled based on the rules in "firewall" (see below)
Pattern Examples
//var/log/secure|messages/:sshd[:Did not receive ident@12
//var/log/secure|messages/:sshd\[:/\[Uu\]user \[A-z\]* \
from \b\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}\b not allowed/
/var/log/secure:sshd[%Did not receive ident@12
These three rules will match the following log file entries in /var/log/secure and will return the IPs found in @ippos
Apr 9 05:21:57 myhost sshd[2553]: Invalid user ahile from 1.2.3.4 Apr 9 22:15:36 myhost sshd[6662]: Did not receive identification string from 5.6.7.8 Apr 10 11:17:46 myhost sshd[3745]: User root from 81.18.176.30 not allowed because not listed in AllowUsers
Firewall Definitions
The firewall
definition file uses the same basic syntax as the config file, with
name=value pairs. There must be two lists defined as reject and
allow. Each list is a comma separated list of keys within the
firewall definition file defining a command to be exected with
system() to perform firewall operations. These keys may use the token
%i which will be replaced with the IP address being firewalled. The
example below is for IPCHAINS.
# Reject rules for IPCHAINS reject=inrej,outrej,fwdrej inprej=/sbin/iptables -I INPUT -s %i -j DROP outrej=/sbin/iptables -I OUTPUT -d %i -j DROP fwdrej=/sbin/iptables -I FORWARD -d %i -j DROP # Allow rules for IPCHAINS allow=inalw,outalw,fwdalw inpalw=/sbin/iptables -D INPUT -s %i -j DROP outalw=/sbin/iptables -D OUTPUT -d %i -j DROP fwdalw=/sbin/iptables -D FORWARD -d %i -j DROP
Files
The following is a list of files installed by Secwatch in, by default, /usr/local/secwatch:
|
Filename |
Description |
|
secwatch |
The Secwatch program script |
|
secwatch.conf |
The configuration file |
|
secwatch.init |
SysV/Redhat init style initscript |
|
patterns |
The patter match file |
|
firewall |
The firewall definition for IPCHAINS |
|
logfac.php |
PHP script file with syslog definitions |
|
README.html |
This file |
|
COPYING |
GNU Public License Version 2 |
|
secwatch.png |
Title image for README.html |
|
secwatch.manual |
Text rendered man page for secwatch |
Additionally
this file is created
|
Filename |
Description |
|
dropped |
File containing dropped IP addresses with timestamps |
To preserve state across runs the program stores
its dropped IP's in the dropped file. On startup the dropped list is
read and new firewall rules are inserted dropping that IP.
Periodically the script tests for dropped IPs reaching a
maximal age defined in the configuration. If maxage is reached the
firewall rule is removed and the IP is removed from the dropped list.