Tag Archives | MonadLUG

Brute Force Detection (BFD) script for vsftpd

vsftpd is the “very secure file transfer protocol daemon” and a great product to use for file transfers. Unfortunately, a bunch of script kiddies and zombies runs scripts guessing the 2283 most common user name and password combinations. Sometimes, I’ll see several of these runs of login attempts in a single day, peaking one day at over 13 thousand bogus login attempts. I resent the amount of time, resources, bandwidth and power my server has to spend rejecting these attempts.

Last year, I blogged about the script Brute Force Detection that works with many servers and reads the logs to ban repeated failed login attempts. Unfortunately, it did not have the settings to read vsftpd generated logs, and there were not any directions simple enough for me to understand to set one up. A year passes, I read more, learn more, expecially the great Man Page of the Month sessions at MonadLUG, and I find a couple of hours to hack at this, motivated by yet another log report filled with vsftpd login attempts. Here’s what I did:

BFD uses rules files that are portions of scripts customized for the particular log to read, the messages to look for, and the locations at which the IP addresses of the offending attacker can be found. When each rule file in turn is read into the main BFD script, it becomes part of a set of commands that slices and dices the log, finds the (adjustable) number of excessive attempts, and issues the commands to ban attempts from that IP address. The trick is figuring out what commands you need to implement to return the stream of IP addresses in the correct format. Here’s an example, the sshd rule file:

if [ -f "$REQ" ]; then

ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w proftpd | grep -iwf $PATTERN_FILE | tr '[]' ' ' | tr -d '()' | awk '{print$10" "$13}' | tr -d ':' | awk '{print$1":"$2}' | grep -E '[0-9]+'`

Boy, is that inscrutable! Here’s a quick tour: REQ is the required file (the binary that runs proftpd) so the script only runs if there is such a file (“fi” is the shell script equivalent of “if” – cute!). The other variables are used to feed the main processing line, starting with ARG_VAL. This line processes the log (named LP) through a series of pipes that filters the result down to the items that need to be processed. Grep processes lines through Globally searching, using Regular Expressions and Prints them through to the next command in the pipe. TR translates characters from one set to another, or -Deletes them. Awk is a simple text processing language, really handing for tricks like printing the tenth and thirteenth words out of a line.

Here’s the trick to working this out: take a log file you know has your suspect violations, use cat to feed it into the beginning of the pipe described above, and add item-by-item to the pipe to figure out what each does and what the final result looks like, in this case a text file IP Addresses and login names, something like:

This is what BFD gets fed bac k to it. Then, it counts the number of attempts, compares that against the TRIG value set above, and if it exceeds the trigger level, executes the command (set in BFD’s configuration file, conf.bfd) to ban the offending attacker. (It also optionally sends an email to the admin, a good idea to ensure you’ve got things set up properly.)

Now, your installation of vsftpd may be a little different from mine, your logs may have different names and columns in different orders, so use this script only after testing out that it works properly with your configuration. Best of luck with it. Here’s my implementation of a script to detect vsftpd script kiddie attacks:

if [ -f "$REQ" ]; then

ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w vsftpd | grep -i rhost | grep -iwf $PATTERN_FILE | awk '{print $13":"$12}'| tr -d '[]()?@'| cut -d = -f 2,4 | grep -E '[0-9]+'`

The cut command is a new one here: like the use of awk it lets you pick particular columns to slice out of the line, but also gives you the option to specify the delimiter that sets off the columns. In this case, I use cut to pick off the second half of two columns that are formatted as “rhost=” and “ruser=badguy@badplace.com” to pick off the second values from each of those columns.

MonadLUG meeting notes, 14-June-2007: Ed Haynes of WindRiver: real-time and Linux

Bill Sconce posted the notes from the MonadLUG meeting of 14-June-2007, one I had to miss due to client projects. It sounds like it was a really interesting meeting. The push to tweak the kernel of Linux to be responsive in a real-time environment benefits us all, as some portions of that specialized work can be rolled into the main-line kernel code. This is one of the great benefits of Open Source, where developers “scratching their itch” – working on their specific needs – can contribute back to the greater community at little or no cost to them.

I heard a similar sentiment voiced at FUDCon ’07 Boston in presentations about the One Laptop Per Child machines: in tracing down some of the code that was running down the batteries on these cute little laptops, the OLPC crowd found entire classes of code that were working fine on desktop and server machines plugged into the wall, but wasting CPU cycles when a different algorithm could be implemented that was more power-friendly. This doesn’t just benefit the OLPC crowd; some of their work goes back into mainline kernels where it makes everyone’s laptop battery last longer, server stacks idle cooler, requiring less AC power and less Air Conditioning power, lowering the heat-disapation requirements of data centers, and slowing global warming. Yet another case of Open Source saving the world.

MonadLUG, 14-June-2007: Ed Haynes: Real-time in Linux

MonadLUG is fortunate this month to have Ed Haynes of Wind River make a presentation on Real-time processing in Linux. Group coordinator Charlie Farinella posts the announcement:

Who: Ed Haynes, Wind River
What: Real-Time
Date: Thursday June 14, 2007
Time: 7:00PM
Where: SAU 1 office, 106 Hancock Rd., Peterborough

Linux is finding itself used in more applications that can be characterized as “Real Time”. What is a Real-Time system? What impact does it have to the Linux OS, and how has Linux evolved to better meet real-time challenges? What’s the difference between “soft” and “hard” real-time? A live demonstration will be held to characterize the performance of difference linux kernels.

Presenting will be Ed Haynes from Wind River. Ed currently serves as a technical resource for the New England Wind River region. He has 10 years experience as a software developer on embedded realtime systems and also led IPv6 development at Nortel.

Sounds like a good meeting!

MonadLUG notes, 10-May-2007, dd and Seth Cohn, Drupal

Ten attendees made it to the May meeting of the Monadnock Valley Linux User Group, held as usual on the second Thursday of the month at the School Administrative Unit #1 offices, Hancock Road, Peterborough.

Bill Freeman presented his thoughts on the Man Page of the Month: dd. Bill provided two pages of notes. Quite the discussion followed obscure and useful things dd could do, such as preserve floppy drive images for posterity, copy music CDs to images for subsequent loopback mount and playing, copy and restore bootblock records and of course read and write tapes.

Seth Cohn was the featured speaker of the night and spoke on Drupal, the content management system. Seth has screenshots of a surprising number and variety of sites that are running on Drupal, presented a bit of Drupal history – seems it’s been around for a long time, and had a fairly stable history – and its current state, with fairly large and active communities of developers and implementors. He covered a bit of the architecture and philosophy of the modular design of Drupal and did the fairly painless install and initial configuration. 9 PM came too soon as there was lots more to see.

Thanks to Seth for presentation, to Bill for MPoM, to Charlie for organizing the meeting and to all for attending and participating.

MonadLUG, 10-May-2007: Seth Cohn presents Drupal

The monthly meeting of the Monadnock region Linux User Group takes place as usual on the second Thursday of the month at the SAU #1 offices in Peterborough. Details and directions here.

Seth Cohn will be presenting Drupal, http://www.drupal.org. I’m looking forward to it. The LUGs have been privileged to see a couple presentations on CMSes: Jonathan Linowes presented Xaraya, and Barrie North Joomla! It’s great that there are som many great choices!

MonadLUG notes, 8-Mar-2007: tac and “Pitch Your Distro”

The second Thursday of the month is the usual meeting of the Monadnock Area Linux User Group, MonadLUG, at the SAU #1 offices on Hancock Road in Peterborough. This month, Ray Côté ran a discussion on “Pitch Your Distro” and Bill Sconce took on the “Man Page of the Month” on the command tac.

You won’t think you could make much of a presentation on tac, but that would be underestimating Bill Sconce 😉 Here’s the short form: tac is cat backwards. Longer form: tac lets concatenates files, but reverses the line ordering of the result, so you get last line first. There are only a couple switches, -s to specify a separator other than newline and -r to use a regex separator. Using this simple tool, Bill was able to present a wicked example that reversed not only line order by character order, and lead to a discussion about the use of regular expressions, piping, precedence, quoting and backticks. A good time was had by all.

The main discussion was a let’s-go-around-the-room discussion of what distros are in use and why and for what. With nine people present (and one of them a non-combatant), how many distros would you expect? We heard about: Debian, Slackware, OpenBSD, OS X, Fedora, RedHat, CentOS, SuSE, Mandrake, Ubuntu, Xubuntu, more RedHat, Knoppix, Gentoo, Libranet and some Knoppix war stories. Many aspects of the different distros were discussed: cost, support, lifespan, the difficulties of sound cards, and more.

Many thanks to Ray for running the meeting, Bill for tac and bringing a projector, and all for participating.

Next month’s meeting (April 12th) will have Seth Cohn presenting Drupal. Hope to see you there!

MonadLUG notes: 8-Feb-2007: uniq and Joomla!

Charlie Farinella called the meeting to order promptly at 7 PM and cracked his whip to stick to his streamlined agenda. Brief announcements (“find GNHLUG events on www.gnhlug.org”) were followed by Ray Côté’s presentation of uniq. Ray explained the function and then introduced an increasingly complex set of examples, one building on another to show how uniq could remove duplicate lines from a sorted file, display various counts of duplicates and so forth.

Guy Pardoe was the main presenter. After the requisite wrestling with the projector, Guy talked about Joomla! Guy had hoped to be showing version 1.5, but it is still in early beta (beta 1 with beta 2 due rsn), so he didn’t feel it was ready to talk about for production sites. Guy explained when he volunteered for the presentation he thought 1.5 would be available, and promised to return when 1.5 was available and he had some experience in using it for production work. He briefly reviewed Barrie North’s presentation from DLSLUG last year (registration required) (and our notes from that meeting). Guy then showed us the Joomla! 1.0 correction: 1.5 install he had done that day, highlighting the basic features of the CMS and the ease of use of the administrative interface. It appeared to be a very open and accessible system. Templates and CSS files could be edited from within the interface and they appeared to be XHTML and CSS2 compliant.

A general Q&A followed. General concerns on the security of the core framework. Concern about the timeliness of the 1.5 release. General discussion of what CMS could do and what the target market was.

After the main presentation, the floor was opened up for general discussion. Maddog announced that he and Bill Sconce had met with faculty at the New Hampshire Technical Institute and that a plan to hold a series of MythTV Installfests was proposed (see the -org list for details).

Answering another question that has come up on the discusssion list, I came across this post while I was looking for Barrie’s presentation. While he is advocating for Joomla!, of course, he may be pointing out that WordPress would meet some peoples needs as well.

Why you want to use Joomla! instead of WordPress

Thirteen attendees were at the meeting. Thanks to Charlie for running the meeting, Ray and Guy for presenting, Ken and the Monadnock SAU for providing the facilities, and to maddog and all attendees for participating!

MonadLUG meets tomorrow night: Joomla! and uniq

MonadLUG meets tomorrow night, 7 PM at the SAU1 offices in Peterborough (directions here). The Man Page of the Month will be uniq, presented by Raymond Cote. The MPOM have been very successful: one volunteer takes a few minutes to talk about a single command. Nearly all of the presenters have included a double-sided handout with command reference and some illustrative real-world examples. It gives attendees a chance to share their experiences and observations and I never fail to hear “I didn’t know it could do THAT.”

The main presentation will be on Joomla! by Guy Pardoe. Joomla! is a content management system based on LAMP and fairly easy to install, configure and maintain. An active developer base, support forum and a huge user manual make basic operations pretty approachable. I’ll be interested in hearing Guy’s insights.

TrixBox 2.0 Beta released

LXer reports trixbox 2.0 released. “Trixbox 2.0 beta will be available for download on Wednesday. This release will be Fonality's first big contribution to the trixbox/Asterisk community after the recent Fonality acquisition of trixbox. which certainly caused a stir within the Asterisk community. I spoke with Chris Lyman, CEO of Fonality, to find out more about this major new release of trixbox.”

I've seen TrixBox 1.0 demoed at MonadLUG in June by Tim Lind and it was an impressive piece of software. Looking forward to seeing what improvements are available in the 2.0 version. Tim's doing an Asterisk presentation in December at CentraLUG; perhaps he'll show off 2.0 there.

Printing a man page

As I'll eventually get tagged to present a “Man Page of the Month” at the MonadLUG meetings, I thought I'd study a bit in advance when I found one I needed. 'top' seemed like a good candidate. But the man page is extensive, exhaustive, cross-referenced and difficult to read. So, I thought I'd print it out to scratch some notes in the margin and see if I could boil it down to a simple one-page quick reference. But how to print a man page? Well, you Google it, of course. The answer I found gave me the links I needed, even though their page neglected to display the key pipe symbols. Here's the trick:

zcat is a synonym to gunzip to pull the man page out of the .gz where it's stored. groff -man -Tps formats a file using the 'man' macro and outputs Type PostScript. Open the .ps file with the editor of your choice, and print it, convert it to PDF or whatever. So the entire command is:

zcat /usr/share/man/man1/top.1.gz| groff -man -Tps>top.ps

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.