Forum: Ruby on Rails Converted tattle.pl to ruby - anyone want to be a tester?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F0d09ef2a279cae4ac312164aa1af6d3?d=identicon&s=25 Ian Connor (Guest)
on 2006-03-05 18:43
(Received via mailing list)
The basic idea of tattle
(http://www.securiteam.com/tools/5JP0520G0Q.html)
is that it will go through your /var/logs/messages to find brute force
attack attempts on your machine via ssh. It then looks up the abuse
records
and emails the network owners about the attack.

It worked well until the log format changed a little when I updated last
and
it broke. So, as an exercise in learning ruby and rails, I converted it
so
that it now uses ruby and ActionMailer to send out the notifications.

I am looking for any volunteers that would like to test this and write
the
install guide. I was going to then put it up on sourceforge for the
wider
community under GPL.

Basic code looks like this:

puts "open logs"
helper = SecurityHelper.new
notif = Notifier.new
offenders = helper.getoffenders( logfile )

offenders.each { |key, offender|
  puts offender.rhost + " (" + offender.abuse + ")"

  Notifier::deliver_send_report(offender)

}

with

class SecurityHelper

  def getoffenders( logfile )

    @off = Hash.new
    File.open(logfile).each { |line|
    if( line =~ /sshd/ and line =~ /rhost/ )
      records = line.split( /\s/).collect
      records.each { |record|
        if record['rhost']
          if @off.has_key?(record)
            @off.fetch(record).lines << line
          else
            attacker = Attacker.new
            attacker.rhost = record.split("=")[1]
            attacker.lines << line
            @off[record] = attacker
          end
        end
       }
    end
    }
    @off
  end

end

class Notifier < ActionMailer::Base

  def send_report( offender )
    # Email header info MUST be added here
    @recipients = "iconnor@projectlounge.com"
    @from = "iconnor@projectlounge.com"
    @subject = "Breach of AUP: " + offender.rhost

    # Email body substitutions go here
    @body["lines"] = offender.lines
    @body["email"] = offender.abuse
  end

end

class Attacker

  require 'net/http'

  attr_accessor  :rhost, :lines

  def initialize
  @lines = []
  end

  def abuse
        Net::HTTP.start('www.spamcop.net') {|http|
          req = Net::HTTP::Get.new('/sc?action=rcache;ip=' + rhost)
          response = http.request(req)
          lins = response.body.split("<br>")
          lins.each { |lin|
          if lin['Using best contacts']
            @abuse = lin.split(" ")[3]
          end
          }
        }
        @abuse
  end

end


Copyright (C) 2006 Ian Connor - GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.
This topic is locked and can not be replied to.