The Dashboard shows visitors and robots

Security Etudes : #100 : Security : IPs

Who is hacking



Plenty of crooks and idiots out there

  • For last month some of my websites had been attacked from various places
  • I run software on non-standard ports, but it is never a defense from deliberate attack
  • Turns out that cloud providers out there don't really care much about crooks using their servers to hack into other people servers
  • Last month I've been attacked from GoGrid, HE, Amazon AWS, Webair (not counting Russian and Chineese IPs)
  • There are several simple technical steps that ISPs could use to put hackers out of business, and maybe they will do that some day
  • In the modern world - if you want to defend your server from hackers - you're on your own

This is what I do now (script does it, on autopilot)

  • Look who is trying to hack into my server
  • It is as simple as zcat /var/log/* | ips.pl
  • Block their IPs with iptables
  • This would not protect from DDOS attacks
  • Your ISP can protect from DDOS - with a big honking loadbalancer

Why no whitelisting?

  • Does not work on port 80
  • I generally like to know who exactly is trying to hack into my servers and trace it to the source (hi, little company from Chicago)

Update (Apr 06. 2013)

There is better way.

  • Split traffic into 2 groups
  • First group - http
  • Second group - 'everything else'
  • Deal with http attacks in one way and deal with 'everything else' - in another way (based on tcpdump)

Update (May 02. 2013)

https://github.com/kickstarter/rack-attack - looks like a good idea to deal with http group of abusers

Update (Jul 28. 2013)

AutoBan - self-learning intrusion detection system in 100 lines of Perl


March 01. 2013

Background

  • Sony+Hackers+AWS
    Amazon.com's Web Services were used by hackers in the April attack against Sony's online entertainment services, according to a Bloomberg ...
  • Detecting TOR Communication in Network Traffic
    The anonymity network Tor is often misused by hackers and criminals in order to remotely control hacked computers. In this blog post we explain why Tor is so well suited for such malicious purposes, but also how incident responders can detect Tor traffic in their networks.
  • SNORT
    SnortĀ® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
  • Rack::Attack: protection from abusive clients
    If you've looked at web server logs, you know there are some weird clients out there. Malicious scripts probe for exploits. Scrapers download the same page dozens of times each second, or request the 10,000th page of comments for a post with only 2 comments.





Security Etudes : #101 : Security : Autoban

AutoBan



Self-learning intrusion detection in 100 lines of Perl

This is Part 2.

Basic design

  • Set up rsyslog to route all http logs and all system logs (including auth) to a single /var/log/syslog file
  • Create 2 text files: 'ignore.txt' and 'attack.txt'
  • Have an always-on perl script 'aban.pl' that is looking at lines, that come into /var/log/syslog (realtime)
  • In 'aban.pl', for every incoming line:
    • ignore the line if the line matches one of ignore patterns
    • store the line in 'attack.log' if the line matches one of attack patterns
    • store the line in 'log' if it is neither junk, nor attack

Now we accumulate attacks in file attack.log, but how do we learn about attacks that we don't know?

We learn from the attackers!

  • Introduce one more script - 'find-attacks.pl'
  • In 'find-attacks.pl', for every line in 'attack.log'
    • Extract ip address of attacker
    • Search for that ip address in 'log' file (that contains lines that are not yet classified)
    • With probability close to 100% all the requests from a criminal will also be criminal requests
    • Look at the new criminal requests, isolate new patterns and add them to attack.txt
    • Repeat

The Scripts

aban.pl


#!/usr/bin/perl

use File::Tail;

my $fname = shift || die "Use: $0 file to watch";

sub ReadCfg{
    my $fn = shift;
    my @ret = ();
    my @lines = `cat $fn`;
    foreach my $l (@lines) {
        chop $l;
        next if (!$l);
        next if ($l =~ m/^#.*/);
        push @ret, $l;
    }
    return @ret;
}

my @ignore=ReadCfg("ignore.txt");
my @attack=ReadCfg("attack.txt");

my $nrules = scalar @ignore;
my $narules = scalar @attack;
my $ldate = localtime;

open( LOG, ">>log" );
print LOG "$ldate started $0  watching '$fname' with $nrules ignore and $narules attack rules\n";
close( LOG );

my $File = File::Tail->new(name=>$fname, tail=>1, maxinterval=>0.5, interval=>0.5);
die "Can't read $fname" if (!$File);

while (defined($_=$File->read)) {
    chomp;
    my $line = $_;

    print STDERR "L: $line\n";

    foreach my $ire (@ignore){
        goto CONT if ( $line =~ m/\Q$ire\E/ );
    }

    foreach my $at (@attack){
        if ( $line =~ m/\Q$at\E/ ){
            open( ALOG, ">>attack.log" );
            print ALOG "$line\n";
            close( ALOG );
            goto CONT;
        }
    }

    open( LOG, ">>log" );
    print LOG "$line\n";
    close( LOG );

CONT:
}

find-attack.pl

#!/usr/bin/perl 

sub ReadCfg{
    my $fn = shift;
    my @ret = ();
    my @lines = `cat $fn`;
    foreach my $l (@lines) {
        chop $l;
        next if (!$l);
        next if ($l =~ m/^#.*/);
        push @ret, $l;
    }
    return @ret;
}

my @attack=ReadCfg("attack.txt");

my @lines = `cat attack.log`;
foreach my $l (@lines){
    chop $l;
    if ( $l =~  /(\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)/ ){
        my $ip = $1;
        my $cmd = ( -f "old.log" ) ? "grep $ip log old.log" : "grep $ip log";
        my @morelines = `$cmd`;
        foreach my $ml (@morelines){
            chop $ml;
            foreach my $a (@attack){
                if ( $ml =~ m/\Q$a\E/ ){
                    # known attack
                    goto NEXTL;
                }
            }

            print "NEW ATTACK: $ml\n";

            NEXTL:
        }
    }
}

attack.txt

ic.asp
Invalid method in request
azenv.php
/forums
/config
HNAP1
anti-sec
admin
manager
pma
Failed password
user unknown
phppath
POST /%
noxdir
nosuichfile.php

July 28. 2013

Background






Summary Console - click to zoom in

Security Etudes : #102 : AutoBan Sneak Attacks

AutoBan Sneak Attacks



Self-learning intrusion detection in 100 lines of Perl

This is Part 3.

Some Attackers are Sneaky

  • Most of attackers only hit you once from one IP
  • Some attackers hit you from various IPs (rare, actually)
  • Sneak attackers hit you several times from one IP, little by little, day by day
  • You really want to block Sneak Attacker's IPs
  • To detect Sneak Attackers, the summary.pl script is used
  • Sample Summary Console is provided above

summary.pl


#!/usr/bin/perl 

use Data::Dumper;

my @lines=`cat /usr/aban/attack.log`;

my %i2n = ();
my %i2d = ();

foreach my $l (@lines) {
    chop $l;
    #print "$l\n";
    if ( $l =~  /(\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)/ ){
        my $ip = $1;
        $i2n{ $ip }++;

        my $day = substr($l,0,6);
        #print "$day\n";
        if ( $i2d{$ip} && ($i2d{$ip} ne $day) ){
            $i2d{ $ip } .= " - " . $day;
        } else {
            $i2d{ $ip } = $day;
        }
    }

}


foreach my $i ( sort { $i2n{$b} <=> $i2n{$a} }  keys %i2n ){
    my $n = $i2n{$i};
    my $d = $i2d{$i};
    print "$i -> $n ($d)\n";
}


October 27. 2013

Background






Classification Console - click to zoom in

Security Etudes : #103 : AutoBan Layered Approach

AutoBan Layered Approach



So I blocked AWS (and China). You can too

This is Part 4.

Current AutoBan Layered Architecture

  • Entire AWS (and entire China) are blocked via iptables. here is the script that does it.
  • The system still learns from attackers (described in Part 1-3), but it only blocks annoying/sneak attackers.
  • Attacker is "annoying" if it did some nasty in the past. Most of attacks are one time deals/bots.

I am looking for users to test client/server architecture

The system works very nice for me. No noise. Attakers are detected. Annoying attackers are blocked. Database of attacks signatures grows every week with no effort on my side.

I've been thinking about client/server architecture. In that scenario, users run a script on their computers, yet we share the database of attacks. If there is enough of users, it looks possible to detect attacking IPs and block them in realtime, the way yahoo and others fight spam. DM me on twitter, if you would want to secure your servers the way I secured mine. You don't need to be sysadmin for that, naturally.


May 06. 2014

Background