[Image] Home What's New Abacus Project Papers Downloads Links Profile Places to go Psionic HostSentry 0.02 ALPHA Abacus Project Host based login anomaly detection and response tool Security Papers News and Announcements Important Notice: Who am I? Mail Lists This is ALPHA GRADE software. While I feel the software is stable and will not cause problems on any host it is run you Related Links need to be aware of some issues: Logcheck PortSentry * Some signature modules are incomplete and may be buggy Common in that they might miss/false alarm in certain Attacks instances. Mailing List * This software has only been tested on small scale systems by myself. I, therefore, have no idea how large the database will grow on a busy system, although I suspect this won't be a problem. * YOU NEED TO READ THE DOCS, AND I MEAN YOU NEED TO READ ALL OF THE DOCS. Don't install security software of any type before you understand how and how not to use it. I go to great lengths to make informative and detailed documents, do yourself a big favor and take the time to read them. * If you get a Python traceback or other odd error message please send it in to me for analysis. Please detail what caused the traceback and your system specs. Without this information it makes getting a fix much harder. * Realize the program may cause many false alarms the first few days as the database fills with active users. This is normal and you shouldn't panic. It should settle down once user entries have stabilized. Requirements HostSentry has been only tested on Linux and OpenBSD. The only requirement for HostSentry is the installation of the Python programming language. Read the install document as you must re-compile Python to activate the syslog extension module. Download Since many of you don't want to read the web page (but you should read all the docs), here are the download links: * HostSentry software is here * HostSentry PGP signature is here * My PGP key is here * The disclaimer is here Also check out PortSentry and Logcheck as you probably want to use them too. Lastly you should probably join one of the mailing lists that have been setup to keep up to date on new happenings. It's late at night, do you know what your users are doing? Location: Anywhere in the world. Date: Tuesday Evening 23:30 hours. Home Office: Your Unix system is sitting idle when a connection request comes in to the telnet port. A login prompt is presented to the guest and it waits patiently for the account information to be entered. An account for one of your remote sales managers is entered and access is granted to the system. This user, who has never logged in before, would normally have no idea how to use Unix and certainly has no business on the system this late at night. Too bad nobody is watching. Date: Tuesday Morning 09:00 hours. Generic Internet Service Provider (ISP): A web server that had been compromised three days prior is sitting on a high speed datalink that has visibility into the entire ISP backbone. On this server a password sniffer has been running for almost 48 hours and has grabbed thousands of account usernames and passwords of people using normal Internet services such as POP, IMAP, FTP, and HTTP. A remote intruder connects to a secret port on the machine from across the planet and the entire list of snatched accounts is instantly downloaded onto their system. The username and password of your sales manager is in there too after he used the ISP to dial in and check mail earlier that day. Date: Tuesday Evening 23:31 hours. Home Office: The person logging in is not who you think they are. They used a few grep commands to pick out interesting accounts from the sniffer logs and your sales manager was on the top of the list. Maybe they think it will be fun to own your machines, maybe you have something interesting, or maybe it's just your bad day. It doesn't matter; whoever it is quickly grabs control of the machine and breaks root access. Several backdoors are installed as well as another password sniffer to further compromise your network. At this point your computer systems are doomed. Why weren't you watching? HostSentry is the newest addition to the Abacus Project. HostSentry is a host based intrusion detection tool that performs what is called Login Anomaly Detection (LAD). Login Anomaly Detection works by monitoring interactive login sessions to the computer system and spotting unusual behavior or activity that indicates an intrusion. In the case of HostSentry, it uses a dynamic database and modular signatures to detect misuse and report or react to the events in real-time. The biggest flaw with Unix is not any particular exploitable hole but the fact that it allows interactive access to anyone that asks. Even with new encrypted tools such as SSH, there is a significant chance that an intruder can still compromise a user account password in a variety of other fashions (unencrypted POP, re-use of passwords across hosts, unencrypted sessions sniffed before SSH used, plain old bad passwords, etc.) Unix has a rudimentary (albeit not great) method for login accounting and HostSentry attempts to make use of this in an automated fashion to spot problems before they become big headaches for you. A variety of techniques are used, which are explained below. What HostSentry does. HostSentry monitors the Unix login accounting records (wtmp/utmp) for user login activity. This activity indicates the following key data: * Username * Login TTY * Login Time * Login Location This data is entered into a dynamically generated user database that stores the entry permanently for future use. Some of the data can be used immediately to spot problems, other times the data needs to be collected for many consecutive logins to derive meaningful information. In either case, the data can be used by the signature modules to detect problems on the host. What is a signature module? A signature module in HostSentry is a module that performs one or both of the following: * Login processing * Logout processing During a login, each of the signature modules are run, if they have a useful function to perform, it is executed on the login and specific actions are taken if a violation is detected. During logout, the same process is run again, this time on the logout functions. Again, if a useful function is found it is executed and violations are reported as well. This dual-mode operation has several benefits: * User activity that is suspicious can be spotted immediately on login. * User activity that is suspicious and occurred during the login session can be spotted on logout. * Modules can perform dual-functions providing backup assurance to each other for login and logout tracking. An example of a module that is only active during login is: moduleFirstLogin. This module would run only during the user login process and only reports if this is the first time this user has logged in. An example of a module that is only active during logout is: moduleHistoryTruncated. This module checks the user's history file on logout to make sure it has not been deleted, linked to /dev/null or other device, and is greater than zero bytes. An example of a module that performs both login and logout functions is: moduleLoginLogout. This module simply writes to the audit logs that a user has logged in and logged out of the host. What do all the signature modules do? The signature modules perform a variety of functions. Because they are modular they can be turned on and off at will, and the administrator can add custom modules as necessary. Here is the list of modules at this time and brief descriptions of their functions (the modules not implemented yet state so in the text): moduleLoginLogout Description: This module simply logs whenever any user logs into or out of the system. This is a generic audit trail module designed to supplement existing logging you may already be doing. moduleFirstLogin Description: Most users have no idea what a Unix shell is let alone how to access and use it. As a result, I always recommend that you do not give users shell access to ANY system unless they specifically request it or it is necessary for your particular application to function. Because of the above phenomena, it is a significant auditable event when a user who has never logged into a shell before suddenly does. This may be normal, it may not be normal. The admin needs to decide whether it is OK for Susie the secretary to be logging in interactively when she can barely type. This module's sole purpose is to alert you to first time logins. This module is especially useful for getting a first alert after a user's password has been sniffed. I'd recommend you pay attention to this module if you have a fairly stagnant user population as many problems start here. moduleForeignDomain Description: Often attackers who compromise a system account with sniffers and such will login from domains that clearly have no business connecting to your site. Therefore I always recommend that you wrap your system services or protect them with filters that only let your local domain interact with your host. This module's purpose is to look at system logins and look up the remote host domain. If this domain is not listed in the file: moduleForeignDomain.allow Then it is classified as "foreign" and you will get an alert. This is especially useful if you run an ISP in the *.com domain and you find a login from someone in Malaysia (My apologies to the Malaysian users of this tool :) ). If you wish to add known good domains to this file, simply pull it into an editor and have at it. This file is processed with regex so be careful about using restricted characters. moduleRhostCheck Description: A user who makes dangerous modifications to their .rhosts file may be up to no good or just ignorant of the security implications. This module will look at a user's .rhosts file on logout and if it contains a wildcard ('+') it will log the event so an admin can investigate. Of course you should never allow your users to use .rhosts files in any event, they are a horrible risk to security (many daemons allow you to shut this feature off). I recommend never using the r-services (i.e. rsh, rlogin) on any host. moduleHistoryTruncated Description: This module will check the user's history file (depending on what shell they are using from /etc/passwd). This will fire an alarm if one of the following conditions occurs: 1) The history file for the shell being used does not exist (it may have been erased to cover tracks). 2) The history file is 0 bytes long (truncated to cover tracks). 3) The history file is a symbolic link. Commonly linked to /dev/null to prevent logging of commands. This is almost always an indication of a compromise. Right now, it only checks for history files for: bash, csh, and tcsh. I'm not completely familiar with all the shells, so if you have a history file/shell type to contribute please mail me. If you see this module fire you need to check your system for compromise. This is assuming of course the intruder didn't break root already and stop HostSentry. :) moduleOddDirnames Description: The user's home directory contains one or more suspicious directories. Usually hackers will make a local directory named in an odd way to hide their work. This module will look for a directory name beginning in ".." (exempting of course the real ".."). Common intruder directory names include: ".. " "..." etc. This module is not totally reliable, as it cannot of course check every permutation. It can help the more common methods that you'll see beginning hackers or users who are trying to hide something employ. If this module fires, you need to check the user's directory for the strange entry. moduleMultipleLogins Description: A user is logged in from one or more different hosts concurrently. This is a classic sign of an intrusion as user accounts are shared among hackers. It is not uncommon to see multiple logins from foreign domains which makes multiple signatures fire off simultaneously. Hosts listed in the file: moduleMultipleLogins.allow will never be processed if they are seen in any user login. This is useful for users who keep a login session from say a terminal at work and then go home to do work concurrently. moduleOddLoginTime Description: The user is logging in at an odd time. Not implemented yet. moduleInvalidUtmp Description: The user's utmp entry on logout has been altered/missing. Not implemented yet. moduleHistorySuspicious Description: The user's history file contains suspicious commands. Not implemented yet. moduleNetworkDaemon Description: The user left a listening network daemon on logout. Not implemented yet. moduleFileExists Description: The user has a file/directory in their home directory that matches a pre-defined list of banned/monitored files. Not implemented yet. What else does it do? You can add your own modules to suit your tastes. For example: * You can have a module write a message directly to the users screen on login that is time sensitive. * You can have a module perform cleanup operations after a user logs out of the host. * You can have a module e-mail/page you when a particular user logs in. The fact is that since the tool is written in a high level language like Python, it makes code creation, debugging, and implementation much easier and safer. While it's still possible to make a module that performs dangerous operations, it is far less likely that this operation will be unintentional on your part (as opposed to using C). There is even a moduleExample wrapper that you can use to base your code on. The user database stores historical data and this data can be used to track and derive metrics for usage on your users. I plan on releasing a tool to do exactly this, it will even have pretty HTML charts of login activity. I have some other ideas too that I don't want to discuss right now. ------------------------------ All Material Copyright ©1996-99 Craig H. Rowland and Psionic Software Systems Contact Me Page last updated: 1999/05/10