Code: Select all
# Need this
wget -4 https://cpan.metacpan.org/authors/id/L/LD/LDS/Crypt-CBC-2.33.tar.gz
tar zxvf Crypt-CBC-2.33.tar.gz
cd Crypt-CBC-2.33
perl Makefile.PL
make
make test
make install
# need this
wget -4 https://cpan.metacpan.org/authors/id/L/LE/LEONT/Crypt-Rijndael-1.13.tar.gz
tar zxvf Crypt-Rijndael-1.13.tar.gz
cd Crypt-Rijndael-1.13
perl Makefile.PL
make
make test
make install
The program can watch multiple logs formats simultaneously and understand them in detail - meaning sometimes you need to see all the requests processed previously and what they did before you can decide if the incoming packet is an attacker. It also keeps track by count of how many things this ip has done in the past and status code. That means if someone comes from that ip address with a user-agent via python-requests but then again as Mozilla we know it - that was useful in tracking ip addresses of the recent attacker as it was sharing this discovery across all my hosts. It has the concept of number of badlookups (set by you) before it would put this ip in timeout.
The goal was to give more knowledge to those logs... so some logs have different formats but in aggregate we can make more intelligent choices... Similarly, it would be possible to notify MX peers of an attacker should they go after email addresses "spam traps" you establish. Those that go after your secondary MX with spam traps will not be able to connect to your primary MX as a result. It would also be able to determine account guessing by hackers vs users at some point when I add in the audit logs or postfix logs. Ultimately it would score this with other information to allow more aggressive rules. This is all post log analysis (already happened if we see it in the log) but in the future it would be able to use mod_security and stop the initial attack. Currently it is only proactive for your peers since that was information was propagated in real-time on discovery. Its a single program but really is a framework to make intelligent decisions of when to block an ip address. I will also add a zimlet at some point to show what it is doing and provide some configuration... Lots of stuff to do - fun!
The script came about from learning about attacks on nginx/zimbra viewtopic.php?f=15&t=66092 and watching '400' status codes and trying to understand what is normal for our users.
I also discovered that 400 codes can happen for normal traffic (mobile) at times so extra knowledge is required than just say you got a 400 and you did it 4 times so you are blocked. It is smarter than that. Currently, it blocks 400 status codes but they have to come from hackers and uses requests, user_agents, number of tries from that ip, etc. It will however stop the case when an attacker changes the user-agent to get around checking should you have history on that ip. We treat 400 status codes as an indicator of wanting to do harm. It will also block an attacker by user-agent or by request... example: POST /attackingYou
Because it use udp to send ip's and ip status counts to its peers. That communication is encrypted with Rijndael which is the encryption chosen for AES and necessary since udp can be spoofed. You set the password in the script, you lock down the ip's of the peers in your FW if necessary and it will encrypt and make sure that an attacker can not spoof that packet.
It can also take log input from standard-in so you can do stuff like this (note: normally it works on nginx.access.log but this is close enough so I ran it through. Who knew.
Code: Select all
% grep python-requests /opt/zimbra/log/access_log* | ./build_mail_ipset.pl -v --prime
attacker 5.188.210.101 and count is 3 \x05\x01\x00
ipset add blacklist24hr 5.188.210.101 -exists
attacker 5.188.210.101 and count is 3 \x04\x01\x00P\x05\xBC\xD2e\x00
ipset add blacklist24hr 5.188.210.101 -exists
attacker 5.188.210.101 and count is 4 GET http://5.188.210.101/echo.php HTTP/1.1
ipset add blacklist24hr 5.188.210.101 -exists
attacker 93.157.62.162 and count is 3 hello
ipset add blacklist24hr 93.157.62.162 -exists
attacker 93.157.62.162 and count is 3 POST /Autodiscover/Autodiscover.xml HTTP/1.1
ipset add blacklist24hr 93.157.62.162 -exists
attacker 93.157.62.162 and count is 3 POST /Autodiscover/Autodiscover.xml HTTP/1.1
ipset add blacklist24hr 93.157.62.162 -exists
...
attacker 61.219.11.153 and count is 3 \x01\x02\x03\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
ipset add blacklist24hr 61.219.11.153 -exists
Code: Select all
&GetOptions("tail|t" => sub { $useSTDIN=0 },
"debug|d" => \$debug,
"verbose|v" => \$verbose,
"ipset|i" => \$ipset,
"p2p" => \$p2p,
"prime|p" => \$prime);
I hope to use this thread and share my experience with this tool as it evolves.
Big Picture Idea:
I could see this run as a cloud service eventually by Zimbra, etc so the community could peer and share knowledge of attacks and stop active attacks before immediately and give admins time to patch. You decide if you want to block or not or just report and use ip's yourself when you start up your peer, etc. I am already sharing some ip's with our web farms since its been really good at identifying and stopping botnets. I am not advocating it work that way initially... Each man/woman for themselves and customize it to your environment as we learn what is happening to our zimbra production sites.
PS... learned of a zero day nginx this morning ZDI-CAN-8296. Doesn't effect Zimbra from my understanding but we need more tools because who can keep up???