[Image] Home What's New Abacus Project Papers
Downloads Links Profile
Places to go Psionic HostSentry 0.02 ALPHA
Abacus
Project Host based login anomaly detection and response tool
Security
Papers
News and
Announcements Important Notice:
Who am I?
Mail Lists This is ALPHA GRADE software. While I feel the software is
stable and will not cause problems on any host it is run you
Related Links need to be aware of some issues:
Logcheck
PortSentry * Some signature modules are incomplete and may be buggy
Common in that they might miss/false alarm in certain
Attacks instances.
Mailing List * This software has only been tested on small scale
systems by myself. I, therefore, have no idea how large
the database will grow on a busy system, although I
suspect this won't be a problem.
* YOU NEED TO READ THE DOCS, AND I MEAN YOU NEED TO READ
ALL OF THE DOCS. Don't install security software of any
type before you understand how and how not to use it. I
go to great lengths to make informative and detailed
documents, do yourself a big favor and take the time to
read them.
* If you get a Python traceback or other odd error
message please send it in to me for analysis. Please
detail what caused the traceback and your system specs.
Without this information it makes getting a fix much
harder.
* Realize the program may cause many false alarms the
first few days as the database fills with active users.
This is normal and you shouldn't panic. It should
settle down once user entries have stabilized.
Requirements
HostSentry has been only tested on Linux and OpenBSD. The
only requirement for HostSentry is the installation of the
Python programming language. Read the install document as
you must re-compile Python to activate the syslog extension
module.
Download
Since many of you don't want to read the web page (but you
should read all the docs), here are the download links:
* HostSentry software is here
* HostSentry PGP signature is here
* My PGP key is here
* The disclaimer is here
Also check out PortSentry and Logcheck as you probably want
to use them too.
Lastly you should probably join one of the mailing lists
that have been setup to keep up to date on new happenings.
It's late at night, do you know what your users are doing?
Location: Anywhere in the world.
Date: Tuesday Evening 23:30 hours.
Home Office: Your Unix system is sitting idle when a
connection request comes in to the telnet port. A login
prompt is presented to the guest and it waits patiently for
the account information to be entered. An account for one of
your remote sales managers is entered and access is granted
to the system. This user, who has never logged in before,
would normally have no idea how to use Unix and certainly
has no business on the system this late at night. Too bad
nobody is watching.
Date: Tuesday Morning 09:00 hours.
Generic Internet Service Provider (ISP): A web server that
had been compromised three days prior is sitting on a high
speed datalink that has visibility into the entire ISP
backbone. On this server a password sniffer has been running
for almost 48 hours and has grabbed thousands of account
usernames and passwords of people using normal Internet
services such as POP, IMAP, FTP, and HTTP. A remote intruder
connects to a secret port on the machine from across the
planet and the entire list of snatched accounts is instantly
downloaded onto their system. The username and password of
your sales manager is in there too after he used the ISP to
dial in and check mail earlier that day.
Date: Tuesday Evening 23:31 hours.
Home Office: The person logging in is not who you think they
are. They used a few grep commands to pick out interesting
accounts from the sniffer logs and your sales manager was on
the top of the list. Maybe they think it will be fun to own
your machines, maybe you have something interesting, or
maybe it's just your bad day. It doesn't matter; whoever it
is quickly grabs control of the machine and breaks root
access. Several backdoors are installed as well as another
password sniffer to further compromise your network. At this
point your computer systems are doomed.
Why weren't you watching?
HostSentry is the newest addition to the Abacus Project.
HostSentry is a host based intrusion detection tool that
performs what is called Login Anomaly Detection (LAD).
Login Anomaly Detection works by monitoring interactive
login sessions to the computer system and spotting unusual
behavior or activity that indicates an intrusion. In the
case of HostSentry, it uses a dynamic database and modular
signatures to detect misuse and report or react to the
events in real-time.
The biggest flaw with Unix is not any particular exploitable
hole but the fact that it allows interactive access to
anyone that asks. Even with new encrypted tools such as SSH,
there is a significant chance that an intruder can still
compromise a user account password in a variety of other
fashions (unencrypted POP, re-use of passwords across hosts,
unencrypted sessions sniffed before SSH used, plain old bad
passwords, etc.)
Unix has a rudimentary (albeit not great) method for login
accounting and HostSentry attempts to make use of this in an
automated fashion to spot problems before they become big
headaches for you. A variety of techniques are used, which
are explained below.
What HostSentry does.
HostSentry monitors the Unix login accounting records
(wtmp/utmp) for user login activity. This activity indicates
the following key data:
* Username
* Login TTY
* Login Time
* Login Location
This data is entered into a dynamically generated user
database that stores the entry permanently for future use.
Some of the data can be used immediately to spot problems,
other times the data needs to be collected for many
consecutive logins to derive meaningful information. In
either case, the data can be used by the signature modules
to detect problems on the host.
What is a signature module?
A signature module in HostSentry is a module that performs
one or both of the following:
* Login processing
* Logout processing
During a login, each of the signature modules are run, if
they have a useful function to perform, it is executed on
the login and specific actions are taken if a violation is
detected. During logout, the same process is run again, this
time on the logout functions. Again, if a useful function is
found it is executed and violations are reported as well.
This dual-mode operation has several benefits:
* User activity that is suspicious can be spotted
immediately on login.
* User activity that is suspicious and occurred during
the login session can be spotted on logout.
* Modules can perform dual-functions providing backup
assurance to each other for login and logout tracking.
An example of a module that is only active during login is:
moduleFirstLogin. This module would run only during the user
login process and only reports if this is the first time
this user has logged in.
An example of a module that is only active during logout is:
moduleHistoryTruncated. This module checks the user's
history file on logout to make sure it has not been deleted,
linked to /dev/null or other device, and is greater than
zero bytes.
An example of a module that performs both login and logout
functions is: moduleLoginLogout. This module simply writes
to the audit logs that a user has logged in and logged out
of the host.
What do all the signature modules do?
The signature modules perform a variety of functions.
Because they are modular they can be turned on and off at
will, and the administrator can add custom modules as
necessary. Here is the list of modules at this time and
brief descriptions of their functions (the modules not
implemented yet state so in the text):
moduleLoginLogout
Description:
This module simply logs whenever any user logs into or out
of the system. This is a generic audit trail module designed
to supplement existing logging you may already be doing.
moduleFirstLogin
Description:
Most users have no idea what a Unix shell is let alone how
to access and use it. As a result, I always recommend that
you do not give users shell access to ANY system unless they
specifically request it or it is necessary for your
particular application to function.
Because of the above phenomena, it is a significant
auditable event when a user who has never logged into a
shell before suddenly does. This may be normal, it may not
be normal. The admin needs to decide whether it is OK for
Susie the secretary to be logging in interactively when she
can barely type.
This module's sole purpose is to alert you to first time
logins. This module is especially useful for getting a first
alert after a user's password has been sniffed. I'd
recommend you pay attention to this module if you have a
fairly stagnant user population as many problems start here.
moduleForeignDomain
Description:
Often attackers who compromise a system account with
sniffers and such will login from domains that clearly have
no business connecting to your site. Therefore I always
recommend that you wrap your system services or protect them
with filters that only let your local domain interact with
your host.
This module's purpose is to look at system logins and look
up the remote host domain. If this domain is not listed in
the file:
moduleForeignDomain.allow
Then it is classified as "foreign" and you will get an
alert. This is especially useful if you run an ISP in the
*.com domain and you find a login from someone in Malaysia
(My apologies to the Malaysian users of this tool :) ).
If you wish to add known good domains to this file, simply
pull it into an editor and have at it. This file is
processed with regex so be careful about using restricted
characters.
moduleRhostCheck
Description:
A user who makes dangerous modifications to their .rhosts
file may be up to no good or just ignorant of the security
implications.
This module will look at a user's .rhosts file on logout and
if it contains a wildcard ('+') it will log the event so an
admin can investigate. Of course you should never allow your
users to use .rhosts files in any event, they are a horrible
risk to security (many daemons allow you to shut this
feature off). I recommend never using the r-services (i.e.
rsh, rlogin) on any host.
moduleHistoryTruncated
Description:
This module will check the user's history file (depending on
what shell they are using from /etc/passwd). This will fire
an alarm if one of the following conditions occurs:
1) The history file for the shell being used does not exist
(it may have been erased to cover tracks).
2) The history file is 0 bytes long (truncated to cover
tracks).
3) The history file is a symbolic link. Commonly linked to
/dev/null to prevent logging of commands. This is almost
always an indication of a compromise.
Right now, it only checks for history files for: bash, csh,
and tcsh. I'm not completely familiar with all the shells,
so if you have a history file/shell type to contribute
please mail me.
If you see this module fire you need to check your system
for compromise. This is assuming of course the intruder
didn't break root already and stop HostSentry. :)
moduleOddDirnames
Description:
The user's home directory contains one or more suspicious
directories. Usually hackers will make a local directory
named in an odd way to hide their work. This module will
look for a directory name beginning in ".." (exempting of
course the real ".."). Common intruder directory names
include:
".. "
"..."
etc.
This module is not totally reliable, as it cannot of course
check every permutation. It can help the more common methods
that you'll see beginning hackers or users who are trying to
hide something employ. If this module fires, you need to
check the user's directory for the strange entry.
moduleMultipleLogins
Description:
A user is logged in from one or more different hosts
concurrently. This is a classic sign of an intrusion as user
accounts are shared among hackers. It is not uncommon to see
multiple logins from foreign domains which makes multiple
signatures fire off simultaneously.
Hosts listed in the file: moduleMultipleLogins.allow will
never be processed if they are seen in any user login. This
is useful for users who keep a login session from say a
terminal at work and then go home to do work concurrently.
moduleOddLoginTime
Description:
The user is logging in at an odd time.
Not implemented yet.
moduleInvalidUtmp
Description:
The user's utmp entry on logout has been altered/missing.
Not implemented yet.
moduleHistorySuspicious
Description:
The user's history file contains suspicious commands.
Not implemented yet.
moduleNetworkDaemon
Description:
The user left a listening network daemon on logout.
Not implemented yet.
moduleFileExists
Description:
The user has a file/directory in their home directory that
matches a pre-defined list of banned/monitored files.
Not implemented yet.
What else does it do?
You can add your own modules to suit your tastes. For
example:
* You can have a module write a message directly to the
users screen on login that is time sensitive.
* You can have a module perform cleanup operations after
a user logs out of the host.
* You can have a module e-mail/page you when a particular
user logs in.
The fact is that since the tool is written in a high level
language like Python, it makes code creation, debugging, and
implementation much easier and safer. While it's still
possible to make a module that performs dangerous
operations, it is far less likely that this operation will
be unintentional on your part (as opposed to using C). There
is even a moduleExample wrapper that you can use to base
your code on.
The user database stores historical data and this data can
be used to track and derive metrics for usage on your users.
I plan on releasing a tool to do exactly this, it will even
have pretty HTML charts of login activity.
I have some other ideas too that I don't want to discuss
right now.
------------------------------
All Material Copyright ©1996-99 Craig H. Rowland and Psionic Software Systems
Contact Me
Page last updated: 1999/05/10