Swatch

Aus crazylinux.de
Zur Navigation springen Zur Suche springen

the active log file monitoring tool. Swatch started out as the "simple watchdog" for activly monitoring log files produced by UNIX's syslog facility. It has since been evolving into a utility that can monitor just about any type of log.

http://swatch.sourceforge.net/

1 Problem

Scan-Attacks on FTP-Server, about 800 tries in 4sec.

Apr 13 05:25:00 mygretchen pure-ftpd: (?@88.198.15.174) [INFO] New connection from 88.198.15.174
Apr 13 05:25:00 mygretchen pure-ftpd: (?@88.198.15.174) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.


2 Solution

Monitor syslog and drop IP-Address via Shorewall (iptables)

3 Configuration

3.1 /etc/defaults/swatch

# Config file for /etc/init.d/swatch

# Place where swatch will generate his temporary scripts
SWATCH_SCRIPTDIR=/var/tmp/swatch

# Tail arguments, not needed anymore as they are default
#SWATCH_TAILARGS='--follow=name --lines=1'

#file to monitor
SWATCH_TAILFILE=/var/log/syslog

#args
DAEMON_ARGS="--daemon  --config-file=/etc/swatch/swatch.conf  --script-dir=${SWATCH_SCRIPTDIR} --tail-file=${SWATCH_TAILFILE}"
#does not really work
#  --tail-args=\"${SWATCH_TAILARGS}\""

3.2 /etc/init.d/swatch

#! /bin/sh
### BEGIN INIT INFO
# Provides:          skeleton
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Example initscript
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO

# Author: Jonathan Tietz
# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Swatch LogFile-Monitor"
NAME=swatch
DAEMON=/usr/bin/$NAME
#not used, see /etc/defaults/swatch
#DAEMON_ARGS="--daemon --config-file=/etc/swatch/swatch.conf"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
        # Return
        #   0 if daemon has been started
        #   1 if daemon was already running
        #   2 if daemon could not be started

        # create tmpdir for monitor-script
        # Place where swatch will generate his temporary scripts
        if [ ! -d ${SWATCH_SCRIPTDIR} ]; then
                mkdir ${SWATCH_SCRIPTDIR}
        fi

        #add pidfile to swatch-ARGS
        DAEMON_ARGS="${DAEMON_ARGS} --pid-file=$PIDFILE"

        #does not work
        #start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
        #       || return 1

        #would work, but not good
        #start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
        #       $DAEMON_ARGS \
        #       || return 2
        # Add code here, if necessary, that waits for the process to be ready
        # to handle requests from services started subsequently which depend
        # on this one.  As a last resort, sleep for some time.

        $DAEMON ${DAEMON_ARGS}\
                >> /var/log/swatch.log \
                2>> /var/log/swatch-err.log
}

#
# Function that stops the daemon/service
#
do_stop()
{
        # Return
        #   0 if daemon has been stopped
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
        #does not work
        #start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
        kill -9 `cat /var/run/swatch.pid`

        #kill tail
        kill `ps fax|grep tail|grep ${SWATCH_TAILFILE}|awk {'print $1'}`

        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
        # Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
        # sleep for some time.
        #start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
        [ "$?" = 2 ] && return 2
        # Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE
        return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
        #
        # If the daemon can reload its configuration without
        # restarting (for example, when it is sent a SIGHUP),
        # then implement that here.
        #
        start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
        return 0
}

case "$1" in
  start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_start
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  #reload|force-reload)
        #
        # If do_reload() is not implemented then leave this commented out
        # and leave 'force-reload' as an alias for 'restart'.
        #
        #log_daemon_msg "Reloading $DESC" "$NAME"
        #do_reload
        #log_end_msg $?
        #;;
  restart|force-reload)
        #
        # If the "reload" option is implemented then remove the
        # 'force-reload' alias
        #
        log_daemon_msg "Restarting $DESC" "$NAME"
        do_stop
        case "$?" in
          0|1)
                do_start
                case "$?" in
                        0) log_end_msg 0 ;;
                        1) log_end_msg 1 ;; # Old process is still running
                        *) log_end_msg 1 ;; # Failed to start
                esac
                ;;
          *)
                # Failed to stop
                log_end_msg 1
                ;;
        esac
        ;;
  *)
        #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
        exit 3
        ;;
esac

:

3.3 /etc/swatch/swatch.conf

in a time frame of 20 sec. (seconds) if we have 20 matches (count) of "watchfor" do the action (exec), then ignore (type)

# Global swatch filter file

# Invalid FTP Login Attempts
#Apr  5 01:12:58 mygretchen pure-ftpd: (?@217.229.137.69) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
watchfor /(.*)pure-ftpd: (.*)\@(.*)\)( \[WARNING\] Sorry, cleartext sessions are not accepted)(.*)/
        threshold track_by=$3,type=both,count=20,seconds=20
        mail=root@domain.tld,subject="FTP:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
        exec "/etc/swatch/scripts/shorewall.sh $3"
        #exec echo $3 >> /var/log/swatch_ftp.log

3.4 /etc/swatch/scripts/shorewall.sh

#pure-ftp logs only IPs, no dns
#IP=`host $1|awk {'print $3'}`
IP=$1

if [ "x$IP" != "x" ]; then
        /sbin/shorewall drop $IP
        mail sadmin -s shorewall<<END
$IP was dropped
END
else
        mail sadmin -s shorewall<<END
Problem to drop $1: $IP
END
fi


4 Links

http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_Swatch