[script] Automatischer Report über mögliche Server Angriffe

[jvc]

Hallo,

man kann sich täglich mit der Analyse von IP Adressen beschäftigen. Zu diesem Zweck habe ich ein bash script geschrieben, welches täglich einen Report zu möglichen Angriffen generiert.

Das Script läuft unter OS X Sierra Server und - falls vorhanden - aktueller Murus Firewall, wird mittels launchd eingebunden und läuft je nach Anzahl der Einträge etwas länger.

Da bei OS X Sierra die Log Datei /var/log/mail.log nicht befüllt wird, greife ich auf den Befehl /usr/bin/log zurück. Im Standard wird für postfix das Log nach einem Tag geleert. Daher die Werte erhöhen:

sudo serveradmin settings mail:postfix:log_level = "info"
sudo serveradmin settings mail:postfix:spam_log_level = “info”
sudo serveradmin settings mail:postfix:log_rolling_days_enabled = yes
sudo serveradmin settings mail:postfix:log_rolling_days = 3

Viel Spaß.
jvc

Beispiel Report:

/opt/report/report.sh - die drei Variablen (EMAIL/INTERFACE/EXCLUDE) an Eure Bedürfnisse anpassen:

#!/bin/bash

EMAIL="admin@mydomain.eu"
INTERFACE="en0"
EXCLUDE="mydomain.eu"

# Analyze following ports in /var/log/pffirewall.log
declare -a PF_PORT_LIST=("25" "587" "80" "443" "993")
declare -a PF_PORT_DESC=("SMTP" "SMTP" "HTTP" "HTTPS" "IMAP")

echo "<html>
<head><title></title>
<style type="text/css">
  a{
    color: inherit !important;
    text-decoration: none !important;
    font-size: inherit !important;
    font-family: inherit !important;
    font-weight: inherit !important;
    line-height: inherit !important;
  }
</style>
</head>
<body>
<h1>Server Access Report</h1>
<h2>Date: $(if [ "$1" = "--today" ]; then date +'%Y-%m-%d'; else date -v-1d +'%Y-%m-%d'; fi)</h2>
<hr>
<pre>
First table:
------------
HTTP: Tried to connect to HTTP server and requested an invalid page (from /var/log/apache2/error_log)
SMTP: Tried to connect to SMTP server with given user but wrong password (from /usr/bin/log show)
IMAP: Tried to connect to IMAP server with given user but wrong password (from /Library/Logs/Mail/mail-err.log)

Second table:
-------------
SMTP: Successful user connections (from /usr/bin/log show)

Third table:
------------
IMAP: Successful user connections (from /Library/Logs/Mail/mail-info.log)

Forth table:
------------
For given protocol passed inbound connections (from /var/log/pffirewall.log)
</pre>
<hr>
<pre>
$( { echo "Count Protocol User IP Country Hostname"; echo "----- -------- --------------- --------------- ------- ------------------------------"; if [ -e /var/log/apache2/error_log ]; then grep "$(if [ "$1" = "--today" ]; then date "+%b %d "; else date -v-1d "+%b $d "; fi)" /var/log/apache2/error_log | grep "\[:error\]" | sed -e 's/.*client /HTTP ---- /g' | sed -e 's/:.*$//g' | sort | uniq -c | while read line; do echo $(echo $line; if [ -z "$(whois $(echo $line | sed -e 's/.*HTTP ---- //g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g')" ]; then echo "XX"; else whois $(echo $line | sed -e 's/.*HTTP ---- //g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g'; fi; echo $line | sed -e 's/.*HTTP ---- //g' | while read line; do dig -x "$line" +short | sed -e "s/.$//g"; done); done | grep -v "US localhost" | sort -nr; fi; /usr/bin/log show --start "$(if [ "$1" = "--today" ]; then date +'%Y-%m-%d 00:00:00'; else date -v-1d +'%Y-%m-%d 00:00:00'; fi)" --end "$(if [ "$1" = "--today" ]; then date -v+1d +'%Y-%m-%d 00:00:00'; else date +'%Y-%m-%d 00:00:00'; fi)" --predicate '(process == "smtpd")' -info | grep " login authentication failed" | sed -e 's/.*\[/SMTP ---- /g' | sed -e 's/\].*$//g' | sort | uniq -c | while read line; do echo $(echo $line; if [ -z "$(whois $(echo $line | sed -e 's/.*SMTP ---- //g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g')" ]; then echo "XX"; else whois $(echo $line | sed -e 's/.*SMTP ---- //g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g'; fi; echo $line | sed -e 's/.*SMTP ---- //g' | while read line; do dig -x "$line" +short | sed -e "s/.$//g"; done); done | sort -nr; /usr/bin/log show --start "$(if [ "$1" = "--today" ]; then date +'%Y-%m-%d 00:00:00'; else date -v-1d +'%Y-%m-%d 00:00:00'; fi)" --end "$(if [ "$1" = "--today" ]; then date -v+1d +'%Y-%m-%d 00:00:00'; else date +'%Y-%m-%d 00:00:00'; fi)" --predicate '(process == "smtpd")' -info | grep "verify password: unable\|LOGIN authentication failed" | sed -e 'N;s/\n/ /' | sed -e 's/.*record for: user=/SMTP /g' | sed -e 's/ /#/2' | sed -e 's/#.*\[/ /g' | sed -e 's/\].*$//g' | sort | uniq -c | while read line; do echo $(echo $line; if [ -z "$(whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g')" ]; then echo "XX"; else whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g'; fi; echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g' | while read line; do dig -x "$line" +short | sed -e "s/.$//g"; done); done | sort -nr; if [ -e /Library/Logs/Mail/mail-err.log ]; then grep "$(if [ "$1" = "--today" ]; then date "+%b %d "; else date -v-1d "+%b %d "; fi)" /Library/Logs/Mail/mail-err.log | grep 'auth: Error: od(' | sed -e 's/.* od(/IMAP /g' | sed -e 's/,/ /1' | sed -e 's/,.*$//g' | sort | uniq -c | while read line; do echo $(echo $line; if [ -z "$(whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g')" ]; then echo "XX"; else whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g'; fi; echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g' | while read line; do dig -x "$line" +short | sed -e "s/.$//g"; done); done | sort -nr; fi; echo "#####"; echo "Count Protocol User IP Country Hostname"; echo "----- -------- --------------- --------------- ------- ------------------------------"; /usr/bin/log show --start "$(if [ "$1" = "--today" ]; then date +'%Y-%m-%d 00:00:00'; else date -v-1d +'%Y-%m-%d 00:00:00'; fi)" --end "$(if [ "$1" = "--today" ]; then date -v+1d +'%Y-%m-%d 00:00:00'; else date +'%Y-%m-%d 00:00:00'; fi)" --predicate '(process == "smtpd")' -info | grep "sasl_username=" | sed -e 's/.*\[//g' | sed -e 's/=/#/2' | sed -e 's/\].*#/ /g' | sed -e 's/^\([^ ][^ ]*\) \([^ ][^ ]*\)/SMTP \2 \1/' | sort | uniq -c | while read line; do echo $(echo $line; if [ -z "$(whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g')" ]; then echo "XX"; else whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g'; fi; echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g' | while read line; do dig -x "$line" +short | sed -e "s/.$//g"; done); done | sort -nr; echo "#####"; echo "Count Protocol User IP Country Hostname"; echo "----- -------- --------------- --------------- ------- ------------------------------"; if [ -e /Library/Logs/Mail/mail-info.log ]; then grep "$(if [ "$1" = "--today" ]; then date "+%b %d "; else date -v-1d "+%b %d "; fi)" /Library/Logs/Mail/mail-info.log | grep "Login:" | sed -e 's/.*user=</IMAP /g' | sed -e 's/>.* rip=/ /g' | sed -e 's/,.*//g' | sort | uniq -c | while read line; do echo $(echo $line; if [ -z "$(whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g')" ]; then echo "XX"; else whois $(echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g'; fi; echo $line | sed -e 's/ /#/3' | sed -e 's/.*#//g' | while read line; do dig -x "$line" +short | sed -e "s/.$//g"; done); done | sort -nr; fi; echo "#####"; echo "Count Protocol User IP Country Hostname"; echo "----- -------- --------------- --------------- ------- ------------------------------"; if [ -e /var/log/pffirewall.log ]; then grep "$(if [ "$1" = "--today" ]; then date "+%m %d "; else date -v-1d "+%m %d "; fi)" /var/log/pffirewall.log | grep "pass in on $INTERFACE: " | sed -e "s/.*pass in on $INTERFACE: //g" | sed -e 's/\./#/4' | sed -e 's/\./+/7' | sed -e 's/#.*+/ /g' | sed -e 's/:.*$//g' | sed -e 's/^\([^ ][^ ]*\) \([^ ][^ ]*\)/\2 \1/' | while read line; do for i in "${!PF_PORT_LIST[@]}"; do if [ "${PF_PORT_LIST[$i]}" = "$(sed -e 's/ .*$//g' <<< $line)" ]; then echo "${PF_PORT_DESC[$i]} ---- $(sed -e 's/.* //g' <<< $line)"; fi; done; done | sort | uniq -c| while read line; do echo $(echo $line; if [ -z "$(whois $(echo $line | sed -e 's/.*\([A-Z]*\) ---- //g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g')" ]; then echo "XX"; else whois $(echo $line | sed -e 's/.*\([A-Z]*\) ---- //g') | grep 'ountry' | tail -n 1 | sed -e 's/.* //g'; fi; echo $line | sed -e 's/.*\([A-Z]*\) ---- //g' | while read line; do dig -x "$line" +short | sed -e "s/.$//g"; done); done | grep -v "US localhost" | sort -nr; fi; } | column -t | sed -e 's/ ---- /      /g' | sed -e 's/.*###.*$/ /g' | grep -v $EXCLUDE | sed -e 's/;.*connection timed out.*$//g')
</pre>
<hr>
<h3>End of report</h3>
</body>
</html>" | /usr/bin/mail -s "$(echo -e "HTTP/SMTP/IMAP Access Report\nContent-Type: text/html")" $EMAIL

/Library/LaunchDaemon/eu.mydomain.report.plist - muss an Eure Umgebung angepasst werden (Pfad zum Script und eventuell die Startzeit):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>KeepAlive</key>
        <dict>
                <key>SuccessfulExit</key>
                <false/>
        </dict>
        <key>Label</key>
        <string>net.report.server</string>
        <key>ProgramArguments</key>
        <array>
                <string>/bin/bash</string>
                <string>/opt/report/report.sh</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>AbandonProcessGroup</key>
        <true/>
        <key>StartCalendarInterval</key>
        <dict>
                <key>Hour</key>
                <integer>0</integer>
                <key>Minute</key>
                <integer>2</integer>
        </dict>
</dict>
</plist>