From alan@agora.rdrop.com  Tue Feb 18 14:14:01 2003
Return-Path: <alan@agora.rdrop.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0E1A037B401
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Feb 2003 14:14:01 -0800 (PST)
Received: from agora.rdrop.com (agora.rdrop.com [199.26.172.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 84FEF43F93
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Feb 2003 14:14:00 -0800 (PST)
	(envelope-from alan@agora.rdrop.com)
Received: from agora.rdrop.com (202@localhost [127.0.0.1])
	by agora.rdrop.com (8.12.7/8.12.5) with ESMTP id h1IMDwpj071725
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT)
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Feb 2003 14:13:58 -0800 (PST)
	(envelope-from alan@agora.rdrop.com)
Received: (from alan@localhost)
	by agora.rdrop.com (8.12.7/8.12.6/Submit) id h1IMDvVu071723;
	Tue, 18 Feb 2003 14:13:57 -0800 (PST)
Message-Id: <200302182213.h1IMDvVu071723@agora.rdrop.com>
Date: Tue, 18 Feb 2003 14:13:57 -0800 (PST)
From: Alan Batie <alan@agora.rdrop.com>
Reply-To: Alan Batie <alan@agora.rdrop.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: change to count connection attempts instead of listing them
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         48444
>Category:       conf
>Synopsis:       [patch] security.functions: count connection attempts instead of listing them
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 18 14:20:04 PST 2003
>Closed-Date:    
>Last-Modified:  Sun Oct 23 23:15:27 GMT 2005
>Originator:     Alan Batie
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
RainDrop Laboratories
>Environment:
System: FreeBSD agora.rdrop.com 4.7-STABLE FreeBSD 4.7-STABLE #0: Mon Feb 3 00:57:16 PST 2003 root@agora.rdrop.com:/usr/src/freebsd/src/sys/compile/AGORA i386


>Description:
	These days you get so many "door knockings" that listing them
	amounts to information overload.  What you really want to see is
	who's doing how much door knocking so you can see where problems
	really lie.  This patch implements that optionally if the
	variable "daily_status_security_port_counts" enables it.  Currently,
	you can completely ignore certain host/port combinations by setting
	them in the code; probably this should be done with some more
	variables, but that's a low priority TBD.

>How-To-Repeat:
	Read your daily security email on a publicly connected system
	set to log connection attempts to ports with no listeners.

>Fix:

Index: security.functions
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/security.functions,v
retrieving revision 1.1.2.2
diff -c -r1.1.2.2 security.functions
*** security.functions	19 Nov 2002 19:00:39 -0000	1.1.2.2
--- security.functions	18 Feb 2003 22:03:58 -0000
***************
*** 53,59 ****
  
    if [ "${tmpf}" = "-" ]; then
      tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
!     cat > ${tmpf}
    fi
  
    if [ ! -f ${LOG}/${label}.today ]; then
--- 53,80 ----
  
    if [ "${tmpf}" = "-" ]; then
      tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
!     tmpf2=`mktemp ${TMPDIR:-/tmp}/security2.XXXXXXXXXX`
!     tmpcons=`mktemp ${TMPDIR:-/tmp}/conns.XXXXXXXXXX`
! 
!     case "$daily_status_security_port_counts" in
!       [Yy][Ee][Ss])
! 	cat > ${tmpf2}
! 	grep "Connection attempt" ${tmpf2} > ${tmpcons}
! 	if [ -s ${tmpcons} ]
! 	then
! 	  grep -v "Connection attempt" ${tmpf2} > ${tmpf}
! 	  echo ""
! 	  echo "Connection attempts:"
! 	  echo ""
! 	  /etc/periodic/security/port_count ${tmpcons}
! 	fi
!         rm -f ${tmpf2} ${tmpcons}
! 	;;
! 
!       *)
! 	cat > ${tmpf}
! 	;;
!     esac
    fi
  
    if [ ! -f ${LOG}/${label}.today ]; then




/etc/periodic/security/port_count:

#!/usr/local/bin/perl
eval 'exec /usr/local/bin/perl -S $0 ${1+"$@"}'
    if $running_under_some_shell;

#
#  Count connection attempt log entries by protocol and port
#
# Feb 11 03:02:21 agora /kernel: Connection attempt to TCP 199.26.172.34:119
#     from 129.250.35.205:52776
#

#
#  Ignore proto:ip:port (proto = TCP|UDP)
#

#$ignore_dest{"UDP:127.0.0.1:512"} = 1;
$ignore_src{"UDP:199.26.172.34:53"} = 1;

#
#  Don't bother printing out a count unless it's over this:
#
$threshold = 1;

if ($#ARGV != 0) {
    print "Usage: $0 logfile\n";
    print join(":", @ARGV), "\n";
    exit 1;
}

if ($ARGV[0] eq "-") {
    open(LOG, "<&STDIN") || die "Can't copy stdin: $!\n";
} else {
    open(LOG, "<$ARGV[0]") || die "Can't open '$ARGV[0]': $!\n";
}

LOGLOOP:
while (<LOG>) {
    chomp;
    $line = $_;

    ($d1,$d2,$d3,$proto,$dest,$d4,$src) = split(' ');

    # skip corrupt lines
    next if ($d1 ne "Connection" || $d2 ne "attempt" || $d3 ne "to" ||
		$d4 ne "from" || ($proto ne "TCP" && $proto ne "UDP"));

    ($di1,$di2,$di3,$di4) = split(/\./, $dest);
    ($di4,$dp) = split(/:/, $di4);
    ($si1,$si2,$si3,$si4) = split(/\./, $dest);
    ($si4,$sp) = split(/:/, $si4);

    foreach $i ($di1,$di2,$di3,$di4,$si1,$si2,$si3,$si4) {
	next LOGLOOP if ($i eq "" || $i < 0 || $i > 255);
    }
    next if ($dp < 0 || $dp > 65535);
    next if ($sp < 0 || $sp > 65535);

    # skip specified entries
    next if defined $ignore_dest{"$proto:$dest"};
    next if defined $ignore_src{"$proto:$src"};

    $tally{"$proto:$dest"}++;
}

close(LOG);

foreach $i (sort { $tally{$a} <=> $tally{$b} } keys(%tally)) {
    if ($tally{$i} > $threshold) {
	print "$i - $tally{$i}\n";
    }
}

exit 0;
>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@freebsd.org>
To: Alan Batie <alan@agora.rdrop.com>
Cc: bug-followup@freebsd.org
Subject: Re: misc/48444: change to count connection attempts instead of listing them
Date: Fri, 21 Feb 2003 04:26:24 +0200

 I do agree that listing all of ipfw's output can be overwhelming at
 times.  Since the perl script of the PR only works for IPFW, here's an
 addition that will probably look interesting to ipfilter users.  I'm
 using the following locally to check for ports that ipfilter has
 blocked and logged:
 
 : #!/bin/sh
 : # $RCS: scripts/listports.sh,v 1.1 2003/01/22 01:14:06 giorgos Exp $
 : # List all the ports that ipfilter has blocked and logged,
 : # ordered by number of hits.
 :
 : echo "    RANK    HITS    PORT"
 : grep "`date '+%b %e'`" /var/log/messages |\
 : egrep -e '(ppp|tun)[0-9]+ .* b ' |\
 : sed -e 's/^.*,.*,//' -e 's/ .*$//' |\
 : sort | uniq -c | sort -r -k 1 | \
 : awk '{ printf "%10d %10d %10d\n", NR, $1, $2 }'
 
 The output is similar to (trimmed to keep this a bit short):
 
 : # sh listports.sh | head -6
 :       RANK       HITS       PORT
 :          1         32        137
 :          2         15         80
 :          3         11       1214
 :          4         11       1080
 :          5          8         81
 
 Does this look like an interesting addition to periodic/security too?

From: Alan Batie <alan@batie.org>
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: misc/48444: change to count connection attempts instead of listing them
Date: Thu, 20 Feb 2003 20:57:30 -0800

 --6Nae48J/T25AfBN4
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Fri, Feb 21, 2003 at 04:26:24AM +0200, Giorgos Keramidas wrote:
 > : # sh listports.sh | head -6
 > :       RANK       HITS       PORT
 > :          1         32        137
 >=20
 > Does this look like an interesting addition to periodic/security too?
 
 I'm not familiar with ipfilter's output, but if possible, I would
 recommend ranking by source-ip:port, so that you can tell if someone
 in particular is hammering you.  On the other hand, a DDOS attempt
 would be better shown by an aggregate, and if you see a high count, you
 can always go look at the log for the addresses, so I'll leave it to
 you guys which way you think is best...
 
 --=20
 Alan Batie                   ______    alan.batie.org                Me
 alan at batie.org            \    /    www.qrd.org         The Triangle
 PGPFP DE 3C 29 17 C0 49 7A    \  /     www.pgpi.com   The Weird Numbers
 27 40 A5 3C 37 4A DA 52 B9     \/      spamassassin.taint.org  NO SPAM!
 
 --6Nae48J/T25AfBN4
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.1 (FreeBSD)
 
 iQCVAwUBPlWxuov4wNua7QglAQGTfwP8Cp2oepihL0VrR+VRq57t+/HnivHybL3C
 IFyJBbUL5Pu5q+aHgFy1F8iheRQDRh9ppM1ZGhjrs8tWxtnvxt1P+bIAyeG11uo8
 Z9B9kzBTS5fENNFxphCU3tP+9H36TZySWGZyNR+27Oz9VYdkzQKPzsmN+PaQnFQM
 oi2egTKWK8Q=
 =zrx4
 -----END PGP SIGNATURE-----
 
 --6Nae48J/T25AfBN4--
>Unformatted:
