The basic idea of tattle
(Vulnerability Security Testing & DAST | Fortra's Beyond Security)
is that it will go through your /var/logs/messages to find brute force
attack attempts on your machine via ssh. It then looks up the abuse
records
and emails the network owners about the attack.
It worked well until the log format changed a little when I updated last
and
it broke. So, as an exercise in learning ruby and rails, I converted it
so
that it now uses ruby and ActionMailer to send out the notifications.
I am looking for any volunteers that would like to test this and write
the
install guide. I was going to then put it up on sourceforge for the
wider
community under GPL.
Basic code looks like this:
puts “open logs”
helper = SecurityHelper.new
notif = Notifier.new
offenders = helper.getoffenders( logfile )
offenders.each { |key, offender|
puts offender.rhost + " (" + offender.abuse + “)”
Notifier::deliver_send_report(offender)
}
with
class SecurityHelper
def getoffenders( logfile )
@off = Hash.new
File.open(logfile).each { |line|
if( line =~ /sshd/ and line =~ /rhost/ )
records = line.split( /\s/).collect
records.each { |record|
if record['rhost']
if @off.has_key?(record)
@off.fetch(record).lines << line
else
attacker = Attacker.new
attacker.rhost = record.split("=")[1]
attacker.lines << line
@off[record] = attacker
end
end
}
end
}
@off
end
end
class Notifier < ActionMailer::Base
def send_report( offender )
# Email header info MUST be added here
@recipients = “[email protected]”
@from = “[email protected]”
@subject = "Breach of AUP: " + offender.rhost
# Email body substitutions go here
@body["lines"] = offender.lines
@body["email"] = offender.abuse
end
end
class Attacker
require ‘net/http’
attr_accessor :rhost, :lines
def initialize
@lines = []
end
def abuse
Net::HTTP.start(‘www.spamcop.net’) {|http|
req = Net::HTTP::Get.new(‘/sc?action=rcache;ip=’ + rhost)
response = http.request(req)
lins = response.body.split(“
”)
lins.each { |lin|
if lin[‘Using best contacts’]
@abuse = lin.split(" ")[3]
end
}
}
@abuse
end
end
Copyright (C) 2006 Ian C. - GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.