How to keep record of repeat attackers?

How to keep record of repeat attackers?

[George Chacon]

Hi,

I'm an iptables newbie, and have a question about logging repeat offenders.
Is it possible to have my firewall box remember incoming IP addresses, and
generate a report showing which attackers keep coming back?

Thank you,

George Chacon

Re: How to keep record of repeat attackers?

[Joel Newkirk]

On Wednesday 12 March 2003 08:20 pm, George Chacon wrote:
> Hi,
>
> I'm an iptables newbie, and have a question about logging repeat
> offenders. Is it possible to have my firewall box remember incoming IP
> addresses, and generate a report showing which attackers keep coming
> back?
>
> Thank you,
>
> George Chacon

With iptables there are only two ways to do record information (apart 
from simply the packet/byte counts that match each rule):  the LOG 
target (formatted header information, basically, written to syslog) or 
the ULOG target with an external accounting package.

Your first problem is defining "offenders", then "repeat offenders" and 
"attackers".  Do you mean simply to track everyone who attempts to 
connect to you?  I presume you don't expect much if any legitimate 
incoming NEW traffic if this is the intent?

You might also want to look at http://ntop.org .  I've had it running on 
my gateway for about a week now, and am delighted by the depth of detail 
and the variety of views it offers.  Network load, protocol 
distribution, etc are available along with per-IP information on 
everyone who has connected, tracking when they've connected, what 
protocols, bad packets, and much more.

j

RE: How to keep record of repeat attackers?

[George Chacon]

>>Your first problem is defining "offenders", then "repeat offenders" and
>>"attackers".  Do you mean simply to track everyone who attempts to
>>connect to you?  I presume you don't expect much if any legitimate
>>incoming NEW traffic if this is the intent?

Thanks for the response Joel.  What I'd like to track are the IP addresses
that get denied or rejected, and the deny/reject rules that get accessed
frequently.  In other words, I'd like to track repeated, obvious, malicious
connections.  I'd like to know if the same person is relentlessly chipping
away at my firewall, looking for weaknesses.

I'll take a look at http://ntop.org.  That looks pretty good.

George



-----Original Message-----
From: Joel Newkirk [mailto:netfilter@newkirk.us]
Sent: Wednesday, March 12, 2003 7:25 PM
To: George Chacon; Netfilter Mailing List
Subject: Re: How to keep record of repeat attackers?


On Wednesday 12 March 2003 08:20 pm, George Chacon wrote:
> Hi,
>
> I'm an iptables newbie, and have a question about logging repeat
> offenders. Is it possible to have my firewall box remember incoming IP
> addresses, and generate a report showing which attackers keep coming
> back?
>
> Thank you,
>
> George Chacon

With iptables there are only two ways to do record information (apart
from simply the packet/byte counts that match each rule):  the LOG
target (formatted header information, basically, written to syslog) or
the ULOG target with an external accounting package.

Your first problem is defining "offenders", then "repeat offenders" and
"attackers".  Do you mean simply to track everyone who attempts to
connect to you?  I presume you don't expect much if any legitimate
incoming NEW traffic if this is the intent?

You might also want to look at http://ntop.org .  I've had it running on
my gateway for about a week now, and am delighted by the depth of detail
and the variety of views it offers.  Network load, protocol
distribution, etc are available along with per-IP information on
everyone who has connected, tracking when they've connected, what
protocols, bad packets, and much more.

j

Re: How to keep record of repeat attackers?

[Joel Newkirk]

On Thursday 13 March 2003 02:19 am, George Chacon wrote:
> >>Your first problem is defining "offenders", then "repeat offenders"
> >> and "attackers".  Do you mean simply to track everyone who attempts
> >> to connect to you?  I presume you don't expect much if any
> >> legitimate incoming NEW traffic if this is the intent?
>
> Thanks for the response Joel.  What I'd like to track are the IP
> addresses that get denied or rejected, and the deny/reject rules that
> get accessed frequently.  In other words, I'd like to track repeated,
> obvious, malicious connections.  I'd like to know if the same person
> is relentlessly chipping away at my firewall, looking for weaknesses.

For that you can use a combination of "iptables -L -v -n" (List, verbose 
to list counts, numeric instead of trying to resolve IPs) to list the 
rules with packet and byte counts that have matched each, and the LOG 
target just before the DROP (same rule with "-j LOG" instead of "-j 
DROP") to log more detailed info, like IPs, portnums, TTL and packet 
size.

The list (if you have many rules) could be done with "iptables -L -v -n | 
grep DROP" to show only DROP rules.

The LOG target logs via syslog as a kernel message, so it usually goes to 
/var/log/messages.  That gets a little cluttered.  It's easier if you 
edit /etc/syslog.conf and add something like "kern.=debug			
/var/log/firewall" near the top, then restart syslog with "service 
syslogd restart" as root.  Now kernel messages of level "debug" (level 
7) will go to that log file instead of the default.  (unless you're 
debugging your kernel that stream's pretty quiet)  The final key is to 
add the option "--log-level 7" after the LOG target.  You can also add 
'--log-prefix "LOGCOMMENT"' as well, and all the log entries for that 
rule will have LOGCOMMENT prefixed before the info.  This makes for 
easier sorting and identification in the log file.

> I'll take a look at http://ntop.org.  That looks pretty good.

Actually it seems very nice, but AFAIK it is unable to see anything that 
is DROPped or REJECTed...  Still poking about with it.

j

RE: How to keep record of repeat attackers?

[George Chacon]

Wow!  I'm guessing you've been using iptables for a while.  I thank you for
the thorough response.  I'll take it and slowly examine it a line and word
at a time - and do further research on some of the terms.  I'll also take a
look at http://ntop.org.  It does look pretty nice.

Thanks again Joel,

George



-----Original Message-----
From: Joel Newkirk [mailto:netfilter@newkirk.us]
Sent: Wednesday, March 12, 2003 11:40 PM
To: George Chacon; Netfilter Mailing List
Subject: Re: How to keep record of repeat attackers?


On Thursday 13 March 2003 02:19 am, George Chacon wrote:
> >>Your first problem is defining "offenders", then "repeat offenders"
> >> and "attackers".  Do you mean simply to track everyone who attempts
> >> to connect to you?  I presume you don't expect much if any
> >> legitimate incoming NEW traffic if this is the intent?
>
> Thanks for the response Joel.  What I'd like to track are the IP
> addresses that get denied or rejected, and the deny/reject rules that
> get accessed frequently.  In other words, I'd like to track repeated,
> obvious, malicious connections.  I'd like to know if the same person
> is relentlessly chipping away at my firewall, looking for weaknesses.

For that you can use a combination of "iptables -L -v -n" (List, verbose
to list counts, numeric instead of trying to resolve IPs) to list the
rules with packet and byte counts that have matched each, and the LOG
target just before the DROP (same rule with "-j LOG" instead of "-j
DROP") to log more detailed info, like IPs, portnums, TTL and packet
size.

The list (if you have many rules) could be done with "iptables -L -v -n |
grep DROP" to show only DROP rules.

The LOG target logs via syslog as a kernel message, so it usually goes to
/var/log/messages.  That gets a little cluttered.  It's easier if you
edit /etc/syslog.conf and add something like "kern.=debug
/var/log/firewall" near the top, then restart syslog with "service
syslogd restart" as root.  Now kernel messages of level "debug" (level
7) will go to that log file instead of the default.  (unless you're
debugging your kernel that stream's pretty quiet)  The final key is to
add the option "--log-level 7" after the LOG target.  You can also add
'--log-prefix "LOGCOMMENT"' as well, and all the log entries for that
rule will have LOGCOMMENT prefixed before the info.  This makes for
easier sorting and identification in the log file.

> I'll take a look at http://ntop.org.  That looks pretty good.

Actually it seems very nice, but AFAIK it is unable to see anything that
is DROPped or REJECTed...  Still poking about with it.

j

RE: How to keep record of repeat attackers?

[Eric Leblond]

On Thu, 2003-03-13 at 09:50, George Chacon wrote:
> Wow!  I'm guessing you've been using iptables for a while.  I thank you for
> the thorough response.  I'll take it and slowly examine it a line and word
> at a time - and do further research on some of the terms.  I'll also take a
> look at http://ntop.org.  It does look pretty nice.

You can use ulog-php which is an web interface to ulog netfilter logs.
It give you useful stats as most often blocked hosts ...
The homepage is : http://home.regit.org/ulogd-php.html
a demo site is available at 
	http://home.regit.org/ulog-demo/
It may be the kind of thing you want.
</end self_add>

-- 
Eric Leblond <eleblond@init-sys.com>
Init-Sys

RE: How to keep record of repeat attackers?

[George Chacon]

Accessing the netfilter logs in a web browser on a separate computer sounds
perfect.  That's exactly what I'm looking for.  Thank you for the
information.

George Chacon

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Eric Leblond
Sent: Thursday, March 13, 2003 1:19 AM
To: Netfilter Mailing List
Subject: RE: How to keep record of repeat attackers?


On Thu, 2003-03-13 at 09:50, George Chacon wrote:
> Wow!  I'm guessing you've been using iptables for a while.  I thank you
for
> the thorough response.  I'll take it and slowly examine it a line and word
> at a time - and do further research on some of the terms.  I'll also take
a
> look at http://ntop.org.  It does look pretty nice.

You can use ulog-php which is an web interface to ulog netfilter logs.
It give you useful stats as most often blocked hosts ...
The homepage is : http://home.regit.org/ulogd-php.html
a demo site is available at
	http://home.regit.org/ulog-demo/
It may be the kind of thing you want.
</end self_add>

--
Eric Leblond <eleblond@init-sys.com>
Init-Sys

RE: How to keep record of repeat attackers?

[Bill Davidsen]

On Wed, 12 Mar 2003, George Chacon wrote:

> >>Your first problem is defining "offenders", then "repeat offenders" and
> >>"attackers".  Do you mean simply to track everyone who attempts to
> >>connect to you?  I presume you don't expect much if any legitimate
> >>incoming NEW traffic if this is the intent?
> 
> Thanks for the response Joel.  What I'd like to track are the IP addresses
> that get denied or rejected, and the deny/reject rules that get accessed
> frequently.  In other words, I'd like to track repeated, obvious, malicious
> connections.  I'd like to know if the same person is relentlessly chipping
> away at my firewall, looking for weaknesses.
>
> I'll take a look at http://ntop.org.  That looks pretty good.

It may do, but I would still keep LOG in mind. You can catch just what you
want, put a useful prefix on the message to simplify analysis, and bang on
it with a perl program.

One hint for quick and dirty values is to write as little custom code as
you can. I use perl to identify the offending IPs and dump them to stdout,
then something like:
  perl getIP.pl mylog | sort | uniq -c | sort -n | tail -20

Emits the IP, sorts for uniq, output a count of how many times the IP
showed up, sorts on the count, and displays the top 20 "worst offenders."
Since this isn't something I often do the same way twice, it works for me.

-- 
bill davidsen <davidsen@tmr.com>
  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

RE: How to keep record of repeat attackers?

[Aldo S. Lagana]

how about portsentry with snort?

portsentry is a simplistic (script kiddie) blocker that can add rules to
iptables dynamically - works good!  then you can peruse the DENY rules
to see how many times they attempted connections
and when the get too sophisticated for portsentry...
snort is also good since it keeps the list of attackers and there may be
good analyzers of the log files for snort..


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Bill Davidsen
> Sent: Thursday, March 13, 2003 2:34 PM
> To: George Chacon
> Cc: netfilter@newkirk.us; Netfilter Mailing List
> Subject: RE: How to keep record of repeat attackers?
> 
> 
> On Wed, 12 Mar 2003, George Chacon wrote:
> 
> > >>Your first problem is defining "offenders", then "repeat 
> offenders" 
> > >>and "attackers".  Do you mean simply to track everyone 
> who attempts 
> > >>to connect to you?  I presume you don't expect much if any 
> > >>legitimate incoming NEW traffic if this is the intent?
> > 
> > Thanks for the response Joel.  What I'd like to track are the IP 
> > addresses that get denied or rejected, and the deny/reject 
> rules that 
> > get accessed frequently.  In other words, I'd like to track 
> repeated, 
> > obvious, malicious connections.  I'd like to know if the 
> same person 
> > is relentlessly chipping away at my firewall, looking for 
> weaknesses.
> >
> > I'll take a look at http://ntop.org.  That looks pretty good.
> 
> It may do, but I would still keep LOG in mind. You can catch 
> just what you want, put a useful prefix on the message to 
> simplify analysis, and bang on it with a perl program.
> 
> One hint for quick and dirty values is to write as little 
> custom code as you can. I use perl to identify the offending 
> IPs and dump them to stdout, then something like:
>   perl getIP.pl mylog | sort | uniq -c | sort -n | tail -20
> 
> Emits the IP, sorts for uniq, output a count of how many 
> times the IP showed up, sorts on the count, and displays the 
> top 20 "worst offenders." Since this isn't something I often 
> do the same way twice, it works for me.
> 
> -- 
> bill davidsen <davidsen@tmr.com>
>   CTO, TMR Associates, Inc
> Doing interesting things with little computers since 1979.
> 
> 

RE: How to keep record of repeat attackers?

[George Chacon]

I would like to say thank you to all who responded to this question.  The
information I received via the mailing list will be put to good use.

George Chacon