IP forensics
The firewall in the router on the edge of the network has the ability to block 192 objects: single addresses, address ranges, or complete networks. I use this to block a number of single addresses and one or two ranges, based on the attempts to break into the FTP or web server. Since these attempts fail because of the use of wrong username or password, these are logged in TCPIP$FTP_RUN.LOG, the WASD access logs or in the accounting file. All mention the IP address from where the access originates, so it is easy to block them: Add the address as an object, add it to a group and you’re done.
Good side-effects are that these can neiter abuse the web- or mail server anymore: It limits the amount of spam messages as well, and the number of break-in atempts on the webserver are less frequent. However, non-evil access is also blocked – but I don’t care for that: Who intentionally and repeatedly misbehaves should not be surprised to be blocked for non-evil access as well.
These additions have to be done by hand, it would be nice to automate that, preferably on a daily basis :).
So I’m now working on a set of procedures to extract data from a number of files.
Primary log is the log file of the firewall: ALL access is logged in that file, and because the port is shown, it is possible to mention what type of access it is: is it mail, ftp or web access? But it doesn’t mention the intention: is it an acceptable access, or abusive? The amount of consequetive accesses from one address could be a hint for the second, especially where it concerns file transfer or mail, but for web access, it can be very valid. A real determination can only be achieved by examining the log files for the application that handles the protocol: the PMAS logfiles for incoming mail, access logs for the web or the logfiles. Other resources are the operator log and the accounting file.
Once the output files exists, these can be concatenated and the output sorted, so I can correlate the data in the protocol-based output against the router log – which is a challenge by itself. Hopefully I have all data at hand. Luckily, all protocols are handled on the same (VMS) system, and the router get its time from there as well. It’s good to have one timebase!
The only possible drawback is that access of blocked addresses or networks is not logged by the router, so once a site has been blocked for a period, it will show up as ‘non-evil’ the next time since there has been no noted access. At least: I didn’t see such a message in the router logfile.
Today I finished procedures that convert the log files of the router, the spam filter and the webservice. They all have the same record layout. But there is one difference: where PMAS store the full date and time – including hundreds of a second – the router and web access logs show time in seconds; the router doesn’t even show the year; The latter has been handled – quite primitively, but it works. However, as ASCII sort will not produce the right order so I will have think of a way to get around that issue.
Next stop is examining accounting.dat, on LOGFAIL records (giving me output for FTP access, for instance), and the operator.log file for mail that passed the spam filter; the basics are there already, I just need to reformat the output so that it fits the other files.
I can also scan the FTP-server log file – but that is opened for write so I’m not certain I can access that file immediately. To be kept in mind…
Once that is done, the data can be loaded into a database of some sort, and it will be simple to retriever the top-100 abusers and their IP addresses: these to be loaded as objects to be blocked, and that’s it!
Or use them otherwise 🙂