New signature: unrelated traffic from iptables
Hi,
I couldn’t find anything in the issue tracker or any notes in the source – hope that I haven’t missed anything.
I was wondering how you’d go about manually adding an IP to the list of offenders. In my case I have a log rule in the INPUT
chain before a drop all
rule in iptables
, and I’d like to add the IPs that get logged to the list of offenders. It could be something as simple as tailing the log file, extracting IPs and calling something like sshguard --add-offender 1.2.3.4
. Is this something that is possible with sshguard
?
I imagine a better way to go about it would be to add an attack parser for iptables
logs; is this correct?
Thanks in advance!
/Rune
Comments (9)
-
-
reporter My, you’re fast
There’s support for a
--log-prefix
iniptables
that will prepend a string to the logs. With--log-prefix='998_block_unrelated_traffic '
(note the trailing space) a log entry will look something like this for TCP traffic:Dec 03 18:57:32 some.host.example.org kernel: 998_block_unrelated_traffic IN=br0 OUT= PHYSIN=enp5s0f0 MAC=aa:bb:cc:dd:dc:12:00:10:db:ff:cc:dd:ee:ff SRC=1.2.3.4 DST=8.7.6.5 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=44949 DPT=3000 WINDOW=65535 RES=0x00 SYN URGP=0
I figure
--log-prefix
could be used to easily filter log entries that you’d want to be picked up by SSHGuard. -
It’s easy to find me during the day
That looks pretty simple to add as a signature, especially with the ‘--log-prefix’. I wouldn’t enable this rule by default, but it would be something configurable, once we figure out how to do that (see #80, #105).
It would be more straightforward to add it as a signature, than to add addresses to a running SSHGuard. If you’d like, I can help take a look at adding this rule for you in a little bit.
-
reporter Yes, I figured that adding a signature would be easier; though I imagine having the ability to add addresses ad hoc would open up for a lot of possibilities. At the very least it’d make it possible to easily add a new filter without having to be proficient in
yacc
I’d love to take a stab at adding a signature, so I think I’ll try to find some time for doing that, and I might just take you up on the offer to help.
-
Until I get a chance to take a look, the files you’ll want to change are
src/parser/attack_scanner.l
andsrc/parser/attack_parser.y
. You’ll add tokens for strings you want to match at the top ofattack_parser.y
, add regexp for those tokens inattack_scanner.l
, and then hook into grammar rules for your attack (e.g. “TOKEN1 addr TOKEN2”) in themsg_single
grammar rule inattack_parser.y
. -
reporter Thank you for the pointers – it’s been quite a while since I’ve toyed with
lex
andyacc
, so it’s much appreciated. I don’t think I’ll be able to find some time for it in the coming weeks, not with Christmas and holidays coming up, but I’ll give it a try. -
I’ve expanded these pointers a bit in https://bitbucket.org/sshguard/sshguard/src/master/CONTRIBUTING.rst#rst-header-add-new-signatures.
-
- changed title to New signature: unrelated traffic from iptables
- changed component to parser
-
- changed status to open
- Log in to comment
You didn’t miss anything; currently, you can’t add offenders to a running SSHGuard. I was working on something that would let you do this, but there wasn’t a lot of interest before.
Yes, if you want to scan iptables logs, you’d write an attack parser for iptables logs. What do they look like?