Scanning log files for intrusion attempts can help secure a system against attack --- but there is an awful lot to scan. There are many utilities which automatically scan log files and email reports to an administrator. We look at Log Watch, Log Check and Swatch.

A study of log files can lead an administrator to add rules to TCP Wrappers (or Xinetd) or a host's packet filter rules designed to block a rogue host. But such actions occur after the event leaving a significant time in which a system might be compromised. Utilities exist which monitor portscans and other signs of foul-play real-time, including logged events, and automatically block access to/from these hosts. We look at Portsentry, psad and IPTrap.

About

Portsentry is developed by Psionic and can be freely downloaded from their web site. The following paragraphs are from the Psionic web site:

PortSentry is a program designed to detect and respond to port scans against a target host in real-time. The 2.0 version of the software offers extensive stealth scan detection for most Unix platforms. The 1.1 version supports the "classic" PortSentry detection modes that are no longer available in the 2.0 version of the software.

• Stealth port scan detection for all Unix platforms. PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans.
• PortSentry will react to a port scan attempt by blocking the host in real-time protecting your system from reconnassaince probes, auto-scanners, and targeted system attacks.
• PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. When used in conjunction with LogSentry it will provide an alert to administrators through e-mail.
• Once a scan is detected, your system will turn into a blackhole and disappear from the attacker. This feature stops most attacks cold.

Portsentry can be configured to work with TCP Wrappers (or xinetx) and most packet filters to automatically block hosts (see Configuration, below).

Installation and Configuration

The portsentry configuration files can likely be found in /etc/portsentry. The daemon should be started each time the system is booted so a /etc/init.d/portsentry file should be created and links made to the pertinant /etc/rc?.d/.

With RedHat 7.1, the RPM installs a startup (init.d) script and suitable links, as above, but the daemon needs to manually started this first time:

/etc/init.d/portsentry start

The configuration files likely live in /etc/portsentry. The KILL_ROUTE variable defines what happens when a host is to be blocked, e.g.,

    KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

10.2. IPTrap

This utility is similar to PortSentry: it automatically blocks offending IPs by adding a rule to ipchains/iptables.

Further details can be found from the web site, which describes IPTrap thus:

IPTrap listens to several TCP ports to simulate fake services (X11, Netbios, DNS, etc). When a remote client connects to one of these ports, his IP address gets immediately firewalled and an alert is logged. It runs with iptables and ipchains, but any external script can also be launched. IPv6 is supported.

10.3. psad

This utility is analogous to LogCheck: psad looks at information in log files written by ipchains/iptables and from this determines if the system is under attack. Warnings can be emailed to the system administrator.

Further details can be found from the web site.

10.4. Logwatch

From the Web site: Logwatch is a customizable log analysis system. Logwatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. These are emailed to the system administrator. Logwatch is installed as standard as part of RedHat 7.2 where it lives in /etc/log.d.

10.5. LogSentry (formerly LogCheck)

About

LogSentry is developed by Psionic and can be freely downloaded from their web site. From there: LogSentry (formerly Logcheck) automatically monitors your system logs and mails security violations to you on a periodic basis. It is based on a program that ships with the TIS Gauntlet firewall but has been improved upon in many ways to make it work nicely for normal system auditing.

LogSentry helps in processing UNIX system logfiles generated by: Psionic's PortSentry and HostSentry; system daemons; Wietse Venema's TCP Wrapper and Log Daemon packages.

The latest version of LogSentry (version 1.1.1) is covered by the GNU license.

Installation Configuration

The LogCheck configuration files can likely be found in /etc/logcheck.

LogCheck should be run regularly, e.g, hourly. With RedHat 7.1, the RPM installs a cron script (into /etc/cron.hourly) so this is setup for you.

10.6. swatch

swatch is a utility which can be used to watch any log-file. swatch is started like this

swatch -c /home/simonh/swatch.rc.apache -t /var/log/httpd/access.log

for example. In this case swatch is monitoring one or Apache's log files. The configuration (.rc) file tells swatch what to look for, for example:

watchfor /<regexp>/ mail addresses=simonh@umist.ac.uk, subject=apache_attack_alert,when=7-1:1-24

which tells swatch to look for the given regular-expression on Saturday or Sunday, all day, and if found to email simonh.

For further details see the web site; see also Paranoid Penguin, Linux Journal, August 2001.