Jerry's projects

Jerry A. Shenk - Security Scripts for Linux

page updated 8/11/99

Overview:

Some of these are gonna be rough. If you have suggestions for improvements, I'm open to suggestions. In most cases these are running on Linux platforms and may or may not be compatible with other Linux builds or the various Unix platfroms.

One of the basic design assumptions is that the Linux box that's running these scripts has an 'open view' of the network. Things that would block that view are routers switches and of course any type of firewall, etc. This Linux box can be on the inside or on the outside.

If it's on the outside, then it's capable of being a 'sentry' that can notify the troops of an impending or in-progress attack. If it's on the outside, then care should be taken to assure that nothing of value resides on it. The sentry may be end up being sacrificed it course of duty. Obviously it's wise to properly outfit the sentry...no sense setting it up and having it killed off too quickly!

Another place to run these scripts is on the inside, a monitor of sorts. If a security script is running on the inside and it triggers, that means one of two things - somebody got through or is getting through the firewall or there is a security breech on the inside. If it's on the inside and it trips, it should be dealt with immediately.

trackland:

This script is designed to monitor the local subnet for land attacks. A land attack is generally an attempt to get a firewall to lock up. A packet is sent to the device that appears to have been sent by that same device. Some OS' don't like this an lock up. In this script, we are looking for packets that have the same source and destination.

#!/bin/sh
#filename /usr/bin/trackland
#Author - Jerry Shenk

#set -x

#This script is designed to trigger on land attacks
#More info about this exploit can be obtained at http://www.cert.org/advisories

#If any named site is accessed, an alerting e-mail message
# will be generated to e-mail addresses specified in the ALERTO variable.

PAGETO=e-mail@host.com
SITE=hostname
DELAY=30
INTERFACE=ppp0 # The INTERFACE variable is not used in this script.
LOCALIP=`ifconfig $INTERFACE | grep addr | cut -d ":" -f 2 | cut -d " " -f 1`

#echo "Port $INTERFACE which is using IP address $LOCALIP will be monitored "
echo "The running script is $0."

#The line with the dst net and dst port is good for a site with some public addresses.
#the line with only the dst ports is good for a single connection point (dialup?).

TRIPLINE=`tcpdump -c 1 -vv -nf ip[12:4] = ip[16:4]`

echo Access to tracked port $DESTINATIONIP detected - Alerts go to $ALERTTO
cat /tmp/trackport.body | mail -s "*** LAND attack detected - $SITE" $ALERTTO

date
echo "Delaying for $DELAY seconds."
sleep $DELAY $0

trackcon:

This script is designed to monitor a firewall on the INSIDE and alarm when connections initiate from the firewall. Normally, there should be a very limited amount of traffic initiating from the firewall. This is a good security measure because it is very generic. If the firewall is accidentally opened up (often done during testing and debugging of connection issues) or is the firewall accidentally gets compromised, this script will detect any incomming start_of_sequence packets (ACK flag not set) and send an alarm.

Because of the logic involved in the tcpdump filter, this script actually has two parts - the script itself and the filter.

This particular network has a 2 mail servers internally at 10.1.1.2 and 10.1.1.3. There is a firewall with a router on each side. The network between the firewall and the internal router is 10.254/8. The firewall is a Netware BorderManager box running Netware 5. Port 524 is for ncp. In the strictest sense, this traffic should probably not be allowed.

the script:

#!/bin/sh
#filename /usr/bin/trackcon
#Author - Jerry Shenk

#set -x

#This script is designed to trigger on packets that originate on the
#internet, the BorderManager segment (10.254/16) or the internet
#internet Cisco.

ALERTTO=e-mail@host.com
SITE=site_name
DELAY=30
INTERFACE=eth1
LOCALIP=`ifconfig $INTERFACE | grep addr | cut -d ":" -f 2 | cut -d " " -f 1`

#echo "Port $INTERFACE which is using IP address $LOCALIP will be monitored "
echo "The running script is $0."

#The line with the dst net and dst port is good for a site with some public addresses.
#the line with only the dst ports is good for a single connection point (dialup?).

TRIPLINE=`tcpdump -n -c 1 -vv -i $INTERFACE -F /usr/bin/trackcon.filter`

INTRUDER=`echo $TRIPLINE | cut -d " " -f 2 | cut -d "." -f 1-4`
DESTINATION=`echo $TRIPLINE | cut -d " " -f 4`
DESTINATIONIP=`echo $DESTINATION | cut -d "." -f 1,2,3,4`
DESTINATIONPORT=`echo $DESTINATION | cut -d "." -f 5`
# nslookup $DESTINATIONIP | tail -n 3 > /tmp/trackcon.body
echo "Server $DESTINATIONIP being accessed by $INTRUDER for services on port $DESTINATIONPORT." > /tmp/trackcon.body
echo " " >> /tmp/trackcon.body
echo "This is a MAJOR issue. This means that a connection was attempted " >> /tmp/trackcon.body
echo "from one of the internet firewalls to an internal service. This " >> /tmp/trackcon.body
echo "is indicative of one of two things - either a process is running on." >> /tmp/trackcon.body
echo "the firewall system or the filters are not in place and someone is " >> /tmp/trackcon.body
echo "attempting unauthorized access." >> /tmp/trackcon.body
echo " " >> /tmp/trackcon.body
echo "tcpdump tripline hit:" >> /tmp/trackcon.body
echo $TRIPLINE >> /tmp/trackcon.body
echo " messages file" >> /tmp/trackcon.body
tail /var/log/messages >> /tmp/trackcon.body

echo Access to tracked port $DESTINATIONIP detected - Alerts go to $ALERTTO
cat /tmp/trackcon.body | mail -s "*** $SITE Firewall breech detected" $ALERTTO

date
echo "Delaying for $DELAY seconds."
sleep $DELAY

the filter:

ip and
(
(
(tcp[13] & 0x10=0) and
(not (dst port 524)) and
(not (src port 20)) and
(not
((dst port 25) and
(dst host 10.1.1.2 or 10.1.1.3))
)
) and
(
(not src net 10) or
(src net 10.254) or
(src host 10.1.1.1)
)
)