Time for a short disclaimer..
.
The system I have built works fine for me - as always, your mileage may vary. There is no warranty with this product.
This describes a little utility that I wrote in order to track intrusion attempts on my Linux box connected to the Internet via ADSL broadband. It uses the maxmind Geo::IP Perl module to add additional information to the source of attack, and stores the result in a MySQL database. This can then be used in conjunction with other software to perform additional detailed analysis.
Time for a short disclaimer..
.
The system I have built works fine for me - as always, your mileage may vary. There is no warranty with this product.
Fairly minimal:
Psionic Inc's PortSentry has been a fantastic help to me since I started to run an internet-connected Linux box. However, back in 2002 Cisco acquired Psionic and appeared to have subsumed the software into their own product. Unfortunately, despite repeated requests for information from Cisco about the product, I have heard nothing. So, unless you already have a copy of PortSentry, you won't be able to use my software unless your IDS will support running an external program when triggered. This link gives details of the acquisition.
OK, so assuming you do have a copy of PortSentry, then here's how you set up portsentry.conf ready for the IDSalert script.
KILL_RUN_CMD="/usr/local/sbin/IDSalert *$TARGET$*$PORT$*"
This assumes that you have "installed" IDSalert in the location stated above. It's quite simple really: the two parameters $TARGET$ and $PORT$ are resolved by PortSentry at run time. In the case of the miscreant below, IDSalert would be run with a command line of:
/usr/local/sbin/IDSalert *206.49.89.193*445*
..and IDSalert would record the following entry into the database:
*************************** 1. row *************************** CTR: 55 TIMESTAMP: 2003-06-04 19:25:26 IP: 206.49.89.193 IPQ1: 206 IPQ2: 49 IPQ3: 89 IPQ4: 193 Port: 445 LongCC: Micronesia, Federate ShortCC: FSM Hostname: pohnpei-pm02-s17.telecom.fm 1 row in set (0.00 sec)
Database design is not my forte, so I went for a simple approach.
The database name is: IDSlog
the table name is: ILog
I have provided a short script to set up the database and table for you. It's called setupIDSlog.
+-----------+-------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+-------------+------+-----+---------+----------------+ | CTR | smallint(6) | | MUL | NULL | auto_increment | * Self explanatory | TIMESTAMP | datetime | YES | | NULL | | * Self explanatory | IP | varchar(15) | | MUL | | | * IP address of intruder | IPQ1 | char(3) | YES | | NULL | | * First quad of IP address | IPQ2 | char(3) | YES | | NULL | | * Second quad of IP address | IPQ3 | char(3) | YES | | NULL | | * Third quad of IP address | IPQ4 | char(3) | YES | | NULL | | * Fourth quad of IP address | Port | varchar(5) | | MUL | | | * Port attempt detected on | LongCC | varchar(20) | YES | | NULL | | * Human-readable country info | ShortCC | char(3) | YES | MUL | NULL | | * Short code country info | Hostname | varchar(60) | | | | | * Hostname of intruder, if resolved +-----------+-------------+------+-----+---------+----------------+
How about a "league table" of intrusion attempts by country ?
mysql IDSlog -e 'select distinct(LongCC),count( (LongCC) ) as CL from ILog group by LongCC order by CL DESC;' gives you: +----------------------+-----+ | LongCC | CL | +----------------------+-----+ | United Kingdom | 147 | | United States | 95 | | China | 39 | | Japan | 39 | | Netherlands | 34 | | Taiwan | 34 | | Korea, Republic of | 26 | | Germany | 13 | | Israel | 13 | | Canada | 11 | | France | 11 | | Italy | 7 | | Brazil | 6 | | Sweden | 6 | | Hong Kong | 5 | | Norway | 3 | ...... | Micronesia, Federate | 1 | | Nigeria | 1 | | Panama | 1 | | Satellite Provider | 1 | | Singapore | 1 | | Slovakia | 1 | | Slovenia | 1 | | Turkey | 1 | | undef | 1 | +----------------------+-----+
and how about getting the days events so far:
mysql IDSlog -e 'select TIMESTAMP,IP,LongCC,Hostname,PORT from ILog where SUBSTRING(TIMESTAMP, 1, 10) = SUBSTRING(NOW(), 1, 10)' gives you: +---------------------+-----------------+--------------------+--------------------------------------------------+------+ | TIMESTAMP | IP | LongCC | Hostname | PORT | +---------------------+-----------------+--------------------+--------------------------------------------------+------+ | 2003-07-09 00:19:53 | 217.44.9.188 | United Kingdom | host217-44-xxxx8.range217-44.xxxxxxxxxxlus.com | 445 | | 2003-07-09 00:30:47 | 66.30.97.161 | United States | h00045a40abbxxxe.client2.xxxxx.com | 445 | | 2003-07-09 00:42:15 | 217.44.100.123 | United Kingdom | host217-44-100-123.range217xx4.xxxxxxxxlplus.com | 445 | | 2003-07-09 00:57:18 | 67.69.22.162 | Canada | --- | 1433 | | 2003-07-09 01:44:00 | 217.42.120.212 | United Kingdom | host217-42xxxx-212.range217-4xxxxxxxxxxxxxus.com | 445 | | 2003-07-09 01:59:03 | 217.44.149.231 | United Kingdom | host217-44-1xxxx31.range217xxxxxxxxxxxxlplus.com | 445 | | 2003-07-09 02:31:42 | 217.42.50.219 | United Kingdom | host217-42-5xxx19.range21xxxxxxxxxxxxxxxlus.com | 445 | ...... | 2003-07-09 02:48:40 | 61.200.216.153 | Japan | P216153.ppp.xxxxxne.jp | 445 | | 2003-07-09 08:14:58 | 211.238.163.118 | Korea, Republic of | --- | 445 | | 2003-07-09 09:34:35 | 217.44.97.118 | United Kingdom | host217-44-97-118.range21xxxxxxxxentralplus.com | 445 | | 2003-07-09 11:37:21 | 217.44.196.183 | United Kingdom | hostxxx-xx-196-183.range217-44.btxxxxxxxplus.com | 445 | +---------------------+-----------------+--------------------+--------------------------------------------------+------+
and lots more, limited only by your imagination ( and SQL skills :-)
Note that I have obfuscated the names to protect the 'inncocent'..
Download the IDSalert script and database setup software (you will need to get the Perl module direct from MaxMind - see below):
The ZIP archive contains the following files:
Archive: IDSalert.zip
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
5096 Defl:X 2099 59% 07-09-03 11:13 92b657b7 IDSalert
18011 Defl:X 6829 62% 12-12-01 12:01 0f4438ca gpl.txt
521 Defl:X 264 49% 06-04-03 14:22 d1b48c78 setupIDSlog
-------- ------- --- -------
23628 9192 61% 3 files
MaxMind GeoIP®: How to locate your Internet visitors
Pyweb.com Home of the wonderful Pyweb emulator
w3schools.com The source of much WAP knowledge
mysql.com A Great Database
php.net A Great Scripting Tool