Fix build logfiles list sometimes files that are not new.
[people/pmueller/ipfire-2.x.git] / config / guardian / guardian.pl
1 #!/usr/bin/perl
2 # based on V 1.7 guardian enhanced for IPFire and snort 2.8
3 # Read the readme file for changes
4 #
5 # Enhanced for IPFire by IPFire Team
6 # Added Portscan detection for non syslog system
7 # Added SSH-Watch for SSH-Bruteforce Attacks
8 # An suppected IP will be blocked on all interfaces
9
10 $OS=`uname`;
11 chomp $OS;
12 print "OS shows $OS\n";
13
14 require 'getopts.pl';
15
16 &Getopts ('hc:d');
17 if (defined($opt_h)) {
18 print "Guardian v1.7 \n";
19 print "guardian.pl [-hd] <-c config>\n";
20 print " -h shows help\n";
21 print " -d run in debug mode (doesn't fork, output goes to STDOUT)\n";
22 print " -c specifiy a configuration file other than the default (/etc/guardian.conf)\n";
23 exit;
24 }
25 &load_conf;
26 &sig_handler_setup;
27
28 print "My ip address and interface are: $hostipaddr $interface\n";
29
30 if ($hostipaddr !~ /\d+\.\d+\.\d+\.\d+/) {
31 print "This ip address is bad : $hostipaddr\n";
32 die "I need a good host ipaddress\n";
33 }
34
35 $networkaddr = $hostipaddr;
36 $networkaddr =~ s/\d+$/0/;
37 $gatewayaddr = `cat /var/ipfire/red/remote-ipaddress 2>/dev/null`;
38 $broadcastaddr = $hostipaddr;
39 $broadcastaddr =~ s/\d+$/255/;
40 &build_ignore_hash;
41
42 print "My gatewayaddess is: $gatewayaddr\n";
43
44 # This is the target hash. If a packet was destened to any of these, then the
45 # sender of that packet will get denied, unless it is on the ignore list..
46
47 %targethash = ( "$networkaddr" => 1,
48 "$broadcastaddr" => 1,
49 "0" => 1, # This is what gets sent to &checkem if no
50 # destination was found.
51 "$hostipaddr" => 1);
52
53 %sshhash = ();
54
55 if ( -e $targetfile ) {
56 &load_targetfile;
57 }
58
59 if (!defined($opt_d)) {
60 print "Becoming a daemon..\n";
61 &daemonize;
62 } else { print "Running in debug mode..\n"; }
63
64 open (ALERT, $alert_file) or die "can't open alert file: $alert_file: $!\n";
65 seek (ALERT, 0, 2); # set the position to EOF.
66 # this is the same as a tail -f :)
67 $counter=0;
68 open (ALERT2, "/var/log/messages" ) or die "can't open /var/log/messages: $!\n";
69 seek (ALERT2, 0, 2); # set the position to EOF.
70 # this is the same as a tail -f :)
71
72 for (;;) {
73 sleep 1;
74 if (seek(ALERT,0,1)){
75 while (<ALERT>) {
76 chop;
77 if (defined($opt_d)) {
78 print "$_\n";
79 }
80 if (/\[\*\*\]\s+(.*)\s+\[\*\*\]/){
81 $type=$1;
82 }
83 if (/(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
84 &checkem ($1, $2, $type);
85 }
86 if (/(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
87 &checkem ($1, $2, $type);
88 }
89 }
90 }
91
92 sleep 1;
93 if (seek(ALERT2,0,1)){
94 while (<ALERT2>) {
95 chop;
96 if ($_=~/.*sshd.*Failed password for root from.*/) {
97 my @array=split(/ /,$_);&checkssh ($array[11], "possible SSH-Bruteforce Attack");}
98 }
99 }
100
101 # Run this stuff every 30 seconds..
102 if ($counter == 30) {
103 &remove_blocks; # This might get moved elsewhere, depending on how much load
104 # it puts on the system..
105 &check_log_name;
106 $counter=0;
107 } else {
108 $counter=$counter+1;
109 }
110 }
111
112 sub check_log_name {
113 my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
114 $atime,$mtime,$ctime,$blksize,$blocks) = stat($alert_file);
115 if ($size < $previous_size) { # The filesize is smaller than last
116 close (ALERT); # we checked, so we need to reopen it
117 open (ALERT, "$alert_file"); # This should still work in our main while
118 $previous_size=$size; # loop (I hope)
119 write_log ("Log filename changed. Reopening $alert_file\n");
120 } else {
121 $previous_size=$size;
122 }
123 }
124
125
126 sub checkem {
127 my ($source, $dest,$type) = @_;
128 my $flag=0;
129
130 return 1 if ($source eq $hostipaddr);
131 # this should prevent is from nuking ourselves
132
133 return 1 if ($source eq $gatewayaddr); # or our gateway
134 if ($ignore{$source} == 1) { # check our ignore list..
135 &write_log("$source\t$type\n");
136 &write_log("Ignoring attack because $source is in my ignore list\n");
137 return 1;
138 }
139
140 # if the offending packet was sent to us, the network, or the broadcast, then
141 if ($targethash{$dest} == 1) {
142 &ipchain ($source, $dest, $type);
143 }
144 # you will see this if the destination was not in the $targethash, and the
145 # packet was not ignored before the target check..
146 else {
147 &write_log ("Odd.. source = $source, dest = $dest - No action done.\n");
148 if (defined ($opt_d)) {
149 foreach $key (keys %targethash) {
150 &write_log ("targethash{$key} = $targethash{$key}\n");
151 }
152 }
153 }
154 }
155
156 sub checkssh {
157 my ($source,$type) = @_;
158 my $flag=0;
159
160 return 1 if ($source eq $hostipaddr);
161 # this should prevent is from nuking ourselves
162
163 return 1 if ($source eq $gatewayaddr); # or our gateway
164
165 if ($sshhash{$dest} eq "" ){
166 $sshhash{$dest} = 1;
167 }
168 if ($sshhash{$dest} >= 3 ) {
169 &write_log ("source = $source, count $sshhash{$dest} - blocking for ssh attack.\n");
170 &ipchain ($source, "", $type);
171 }
172 # you will see this if the destination was not in the $sshhash, and the
173 # packet was not ignored before the target check..
174 else {
175 &write_log ("Odd.. source = $source, ssh count only $sshhash{$dest} - No action done.\n");
176 if (defined ($opt_d)) {
177 foreach $key (keys %sshhash) {
178 &write_log ("sshhash{$key} = %sshhash{$key}\n");
179 }
180 }
181 $sshhash{$key} = $sshhash{$key}+1;
182 }
183 }
184
185 sub ipchain {
186 my ($source, $dest, $type) = @_;
187 &write_log ("$source\t$type\n");
188 if ($hash{$source} eq "") {
189 &write_log ("Running '$blockpath $source'\n");
190 system ("$blockpath $source");
191 $hash{$source} = time() + $TimeLimit;
192 } else {
193 # We have already blocked this one, but snort detected another attack. So
194 # we should update the time blocked..
195 $hash{$source} = time() + $TimeLimit;
196 }
197 }
198
199 sub build_ignore_hash {
200 # This would cause is to ignore all broadcasts if it
201 # got set.. However if unset, then the attacker could spoof the packet to make
202 # it look like it came from the network, and a reply to the spoofed packet
203 # could be seen if the attacker were on the local network.
204 # $ignore{$networkaddr}=1;
205
206 # same thing as above, just with the broadcast instead of the network.
207 # $ignore{$broadcastaddr}=1;
208 my $count =0;
209 $ignore{$gatewayaddr}=1;
210 $ignore{$hostipaddr}=1;
211 if ($ignorefile ne "") {
212 open (IGNORE, $ignorefile);
213 while (<IGNORE>) {
214 $_=~ s/\s+$//;
215 chomp;
216 next if (/\#/); #skip comments
217 next if (/^\s*$/); # and blank lines
218 $ignore{$_}=1;
219 $count++;
220 }
221 close (IGNORE);
222 print "Loaded $count addresses from $ignorefile\n";
223 } else {
224 print "No ignore file was loaded!\n";
225 }
226 }
227
228 sub load_conf {
229 if ($opt_c eq "") {
230 $opt_c = "/etc/guardian.conf";
231 }
232
233 if (! -e $opt_c) {
234 die "Need a configuration file.. please use to the -c option to name a configuration file\n";
235 }
236
237 open (CONF, $opt_c) or die "Cannot read the config file $opt_c, $!\n";
238 while (<CONF>) {
239 chop;
240 next if (/^\s*$/); #skip blank lines
241 next if (/^#/); # skip comment lines
242 if (/LogFile\s+(.*)/) {
243 $logfile = $1;
244 }
245 if (/Interface\s+(.*)/) {
246 $interface = $1;
247 }
248 if (/AlertFile\s+(.*)/) {
249 $alert_file = $1;
250 }
251 if (/IgnoreFile\s+(.*)/) {
252 $ignorefile = $1;
253 }
254 if (/TargetFile\s+(.*)/) {
255 $targetfile = $1;
256 }
257 if (/TimeLimit\s+(.*)/) {
258 $TimeLimit = $1;
259 }
260 if (/HostIpAddr\s+(.*)/) {
261 $hostipaddr = $1;
262 }
263 if (/HostGatewayByte\s+(.*)/) {
264 $hostgatewaybyte = $1;
265 }
266 }
267
268 if ($interface eq "") {
269 die "Fatal! Interface is undefined.. Please define it in $opt_o with keyword Interface\n";
270 }
271 if ($alert_file eq "") {
272 print "Warning! AlertFile is undefined.. Assuming /var/log/snort.alert\n";
273 $alert_file="/var/log/snort.alert";
274 }
275 if ($hostipaddr eq "") {
276 print "Warning! HostIpAddr is undefined! Attempting to guess..\n";
277 $hostipaddr = &get_ip($interface);
278 print "Got it.. your HostIpAddr is $hostipaddr\n";
279 }
280 if ($ignorefile eq "") {
281 print "Warning! IgnoreFile is undefined.. going with default ignore list (hostname and gateway)!\n";
282 }
283 if ($hostgatewaybyte eq "") {
284 print "Warning! HostGatewayByte is undefined.. gateway will not be in ignore list!\n";
285 }
286 if ($logfile eq "") {
287 print "Warning! LogFile is undefined.. Assuming debug mode, output to STDOUT\n";
288 $opt_d = 1;
289 }
290 if (! -w $logfile) {
291 print "Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT\n";
292 $opt_d = 1;
293 }
294
295 foreach $mypath (split (/:/, $ENV{PATH})) {
296 if (-x "$mypath/guardian_block.sh") {
297 $blockpath = "$mypath/guardian_block.sh";
298 }
299 if (-x "$mypath/guardian_unblock.sh") {
300 $unblockpath = "$mypath/guardian_unblock.sh";
301 }
302 }
303
304 if ($blockpath eq "") {
305 print "Error! Could not find guardian_block.sh. Please consult the README. \n";
306 exit;
307 }
308 if ($unblockpath eq "") {
309 print "Warning! Could not find guardian_unblock.sh. Guardian will not be\n";
310 print "able to remove blocked ip addresses. Please consult the README file\n";
311 }
312 if ($TimeLimit eq "") {
313 print "Warning! Time limit not defined. Defaulting to absurdly long time limit\n";
314 $TimeLimit = 999999999;
315 }
316 }
317
318 sub write_log {
319 my $message = $_[0];
320 my $date = localtime();
321 if (defined($opt_d)) { # we are in debug mode, and not daemonized
322 print STDOUT $message;
323 } else {
324 open (LOG, ">>$logfile");
325 print LOG $date.": ".$message;
326 close (LOG);
327 }
328 }
329
330 sub daemonize {
331 my ($home);
332 if (fork()) {
333 # parent
334 exit(0);
335 } else {
336 # child
337 &write_log ("Guardian process id $$\n");
338 $home = (getpwuid($>))[7] || die "No home directory!\n";
339 chdir($home); # go to my homedir
340 setpgrp(0,0); # become process leader
341 close(STDOUT);
342 close(STDIN);
343 close(STDERR);
344 print "Testing...\n";
345 }
346 }
347
348 sub get_ip {
349 my ($interface) = $_[0];
350 my $ip;
351 open (IFCONFIG, "/bin/netstat -iee |grep $interface -A7 |");
352 while (<IFCONFIG>) {
353 if ($OS eq "FreeBSD") {
354 if (/inet (\d+\.\d+\.\d+\.\d+)/) {
355 $ip = $1;
356 }
357 }
358 if ($OS eq "Linux") {
359 if (/inet addr:(\d+\.\d+\.\d+\.\d+)/) {
360 $ip = $1;
361 }
362 }
363 }
364 close (IFCONFIG);
365
366 if ($ip eq "") { die "Couldn't figure out the ip address\n"; }
367 $ip;
368 }
369
370 sub sig_handler_setup {
371 $SIG{TERM} = \&clean_up_and_exit; # kill
372 $SIG{QUIT} = \&clean_up_and_exit; # kill -3
373 # $SIG{HUP} = \&flush_and_reload; # kill -1
374 }
375
376 sub remove_blocks {
377 my $source;
378 my $time = time();
379 foreach $source (keys %hash) {
380 if ($hash{$source} < $time) {
381 &call_unblock ($source, "expiring block of $source\n");
382 delete ($hash{$source});
383 }
384 }
385 }
386
387 sub call_unblock {
388 my ($source, $message) = @_;
389 &write_log ("$message");
390 system ("$unblockpath $source");
391 }
392
393 sub clean_up_and_exit {
394 my $source;
395 &write_log ("received kill sig.. shutting down\n");
396 foreach $source (keys %hash) {
397 &call_unblock ($source, "removing $source for shutdown\n");
398 }
399 exit;
400 }
401
402 sub load_targetfile {
403 my $count = 0;
404 open (TARG, "$targetfile") or die "Cannot open $targetfile\n";
405 while (<TARG>) {
406 chop;
407 next if (/\#/); #skip comments
408 next if (/^\s*$/); # and blank lines
409 $targethash{$_}=1;
410 $count++;
411 }
412 close (TARG);
413 print "Loaded $count addresses from $targetfile\n";
414 }