auto-report abuse

2 replies [Last post]
catmistake's picture
Offline
Joined: Dec 20 2003
Posts: 1098

A glance at the security logs of any of the machines I'm responsible for reveals daily brute force attacks from various sources (argentina, taiwan, germany, japan, china, etc. etc. etc.)

Here I am again asking for some software that I'm not sure exists or not... but this time, I'm nearly certain this could be made without too much cleverness or hairpulling, and I'm surprised if it isn't in existence and already extremely popular...

here is something
that is, I believe, a front end for the whois db. But I'd like something wider in scope and somewhat more automated.

The software I want will look in the logs I tell it (generally speaking, /var/log/secure.log), extracts every IP that failed authorization on an attempted login ('simple' parsing, right? tasks for perl or python?), looks up all these IP's in whois db, and for each IP extracts the abuse reporting email address (if it exists), and drafts emails for each IP (or range) to send to these abuse reporting email addresses (and maybe even extrapolates some cool graphed data on the number of attempts/port of attack/anything else one can think of).

I don't code... but this sounds developable to me...

1) does this software exist?
2) if not, will you please whip this one up ASAP?

TIA

(seriously, if this sounds viable, or like a good idea, please post approval or desire with due haste, and lets all start bugging the coders we personally know)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Eudimorphodon's picture
Offline
Joined: Dec 21 2003
Posts: 1204
Well...

I use this on a FreeBSD honeypot/firewall:

http://danger.rulez.sk/projects/bruteforceblocker/

It uses syslog to pipe sshd messages through itself, watches for suspicious behavior, and automatically inserts offending IPs into a firewall table. Works like a charm. There are of course logwatchers for most other services out there, or you can use something like "Snort" to monitor connection attempts on services you're not running. Most of them either provide or can be trivially modified to kick off whatever actions you want.

Just be cautious. It just takes one vindictive network admin sick of getting automated emails every 20 seconds telling him he has compromised computers on his 65,000 user ISP network to get you blacklisted for spamming. (Everyone hates auto-generated email.) Thus I'd personally limit this to reporting/trending/sorting, so you can *manually* fire off complaint letters based on said reports when it's obvious there's more going on then simple zombie attacks from random IPs.

--Peace

TheUltimateMacUser's picture
Joined: Jan 28 2004
Posts: 615
Or, perhaps, limit it to send

Or, perhaps, limit it to sending only one email per address every X hours? so, for example... it would only email admin@whatever.com at most once every 1000 hours, even if there are 'attacks' coming in every 5 minutes.

__________________

<> AppleFritter Chat: #AppleFritter on irc.freenode.net <> Click here to join!