Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Emergency Sentry Robot

by Aighearach (Initiate)
on Sep 10, 2000 at 23:50 UTC ( [id://31815]=CUFP: print w/replies, xml ) Need Help??

This morning after waking up, I decided to take a little stroll through the system logs at a webserver I am responsible for. I receive little pay for this, but I get free use of a fast server for personal and development purposes. So what did I find in the logs? Somebody tarballing and transfering my home dir! and some other things they shouldn't be fondling. So, I needed a quick way to alert me to further violations. I really didn't feel I had time to look for a utility for this, I needed something yesterday. So, I fired up emacs...

This script watches a file to see if it is accessed or modified. If it is either accessed or modified, it first sends an email to me, including the name of the file changed, and the output from who(1). Next, it uses wall(1) to notify the person that their accesses are not going unnoticed.

#!/usr/bin/perl -w use strict; use warnings; use Mail::Sendmail; @ARGV == 1 or die "usage: $0 watchfile"; my $watchfile = $ARGV[0]; print "watching $watchfile.\n"; my $pid = fork(); unless ( $pid ) { my $access_time = (stat($watchfile))[8]; my $modify_time = (stat($watchfile))[9]; while( sleep 5 ) { unless( $access_time == (stat($watchfile))[8] ) { print "ACCESS CHANGED!!\n"; tripwire( $watchfile, "accessed" ); $access_time = (stat($watchfile))[8]; } unless( $modify_time == (stat($watchfile))[9] ) { print "MODIFY CHANGED!!\n"; tripwire( $watchfile, "modified" ); $modify_time = (stat($watchfile))[9]; } } } sub tripwire { my $file = shift || "unknown"; my $what = shift || "unknown"; my %mail = ( To => 'pariss@efn.org', From => 'Aighearach@makeyourbanner.com', Subject => 'SECURITY VIOLATION!!!', Message => "SECURITY VIOLATION!!! $file $what\n".`who` ); sendmail(%mail); `wall 'what the hell are you doing\? --AUTOMATED (report generated +)'`; }
Paris Sinclair    |    4a75737420416e6f74686572
pariss@efn.org    |    205065726c204861636b6572
http://sinclairinternetwork.com

Replies are listed 'Best First'.
(Ozymandias) RE: Emergency Sentry Robot
by Ozymandias (Hermit) on Sep 11, 2000 at 03:52 UTC
    This might have its uses, but it's risky to alert the person that you know they're there. They have a nasty habit of panicking and removing all logs via the "brute force method" - rm -rf *.

    For quick security solutions, I find Psionic's freeware products to be excellent utilities for security; they're not perfect, but if you need something fast and accurate, they'll do the job. Even if they are written in Python...

    I think especially highly of PortSentry and HostSentry, although HostSentry takes a little longer to set up than PortSentry.

    - email Ozymandias

      Well, in this case I already had log backups of the activity. And, installing a package represented an unknown time period to research the available options, and install that option. It's a testament to the power of Perl that in these situations it can take less time to write a program from scratch than it would likely take to locate and install a free package. Also, and this is just from a quick glance at the links, those products don't offer the functionality that my script does; they detect intruders, but not unauthorized access of private files by somebody with root access. In this case it was the owner of the machine who had tarred and transfered files he didn't have legal access to.

      Anyway, the logs are already multiplexed. ;)

      Paris Sinclair    |    4a75737420416e6f74686572
      pariss@efn.org    |    205065726c204861636b6572
      http://sinclairinternetwork.com
      
        Hey, it's your machine. All I can say is *I* wouldn't do that. Sure, the rm -rf * from / won't destroy the logs if you copy them off. So their immediate purpose is not well served. Umm... so? They've still completely trashed your box.

        Final word on the topic - alerting intruders that you are aware of their presense is a very bad idea. Do so at your own risk, and PLEASE don't try to tell people that it's not.

        - email Ozymandias
Cool program, but....
by pschoonveld (Pilgrim) on Sep 13, 2000 at 15:27 UTC
    I do like the program. The concept is quite nice. But, I think you are hitting things in the wrong direction. You said you were "responsible" for the server. I take that to mean you are the admin. So, why would you have it set up such that people could read other's home dirs? Why wouldn't you chroot everyone and restrict their sphere's of influence? Or, at the least, set perms and masks such that read and execute are not allowed to other users.

    I used to do UNIX admin on similar machines and we ALWAYS did this. We had some web apps (Perl & PHP) that we sold to some clients and not others. For the most part even the client that bought the program didn't get even read access to the source. I think you need to reassess the security of the box in general.

RE: Emergency Sentry Robot
by AgentM (Curate) on Sep 24, 2000 at 08:27 UTC
    A better solution is a more secret solution. Try tripwire. It ain't perl but it provides an elegant and feature-rich solution to exactly the monitoring you are talking about.
    click me

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: CUFP [id://31815]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (3)
As of 2024-03-29 14:18 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found