Referring to the articles "GeoIP for iptables on Debian Lenny" and "Connection logging with iptables", I wrote a Perl script, which looks into auth.log and kern.log data to create a little report.
- auth.log: Is used for analysing connections on your SSH server. It checks for authed and failed connections and summarize them per source IP, with count of authed/failed connections and authed/failed users.
- kern.log: Is used for analysing any logs from iptables. Any log row will be summarized to blocks by source IP, destination IP, protocol and destination port. The data will be checked on connection count and connection rates, to determine if this source IP is an attacker or not.
Example for auth.log report:
IP: 85.XXX.XXX.XXX (DE) Connects: 542 Authed connections: 0 Failed connections: 477 Failed users: testing,vincent,test,sales,tt,migrate,mike,user,nagios,portal,admin,apache,usuario,ts,jboss,postgres,cod,susan,murmur,bobcat,testuser,tester,css,basic,www,copier,student,gary,tv,upload,mythtv,ftpuser,michelle,phone,oracle,build,as
Example for kern.log report:
Source IP: 85.XXX.XXX.XXX Dest. IP: 188.XXX.XXX.XXX Dest. Port: 22 Source Location: DE Connection count: 542 Attack: yes Attack count: 540 Avg connection rate: 0.14 conn/sec Max connection rate: 0.14 conn/sec Duration: 77.81 sec
So, I think this output is a bit more handy for humans, than raw log data and you have it at first glance, if there were attacks and how intense.
To execute the script you need a GeoIP database and libgeo-ip-perl installed. Here are some instructions.
aptitude install libtext-csv-xs-perl libgeo-ip-perl mkdir -p /var/geoip/LE /usr/src/GeoIP wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2 wget -O /usr/local/sbin/intruder.pl.gz http://tuxj0b.de/files/intruder.pl-2010-01-11.gz cd /usr/src/GeoIP tar xf csv2bin-20041103.tar.gz tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl unzip GeoIPCountryCSV.zip cd /usr/src/GeoIP/csv2bin make cd /var/geoip /usr/src/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv cd /var/geoip/LE perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv gunzip /usr/local/sbin/intruder.pl.gz
The script is developed and tested to be working on Debian Lenny. If there are issues, please let me know!
For better functionality I suggest to set LogLevel DEBUG in /etc/ssh/sshd_config and restart your SSH server. With the default setting you won't be able to track all connections made to your SSH server, only the authed or failed connections. If you like to have daily reports, you should set logrotation for auth.log and kern.log to daily.
/etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/auth.log
/var/log/kern.log
/var/log/messages
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}Default log files for analysis are /var/log/auth.log and /var/log/kern.log. You can pass other files by the directives -authlog PATH and -kernlog PATH.
Usage: intruder.pl [OPTION] -a, -authlog Path to auth.log file. -k, -kernlog Path to kern.log file. Report bugs to freach at tuxj0b.de
Download: intruder.pl-2010-01-11.gz
MD5SUM: 4bc98d92f0f479c2c38a6cde3b6591d8
Post new comment