[Image]     Home           What's New     Abacus Project Papers
               Downloads      Links          Profile

Places to go   Psionic HostSentry 0.02 ALPHA
Abacus
Project        Host based login anomaly detection and response tool
Security
Papers
News and
Announcements  Important Notice:
Who am I?
Mail Lists     This is ALPHA GRADE software. While I feel the software is
               stable and will not cause problems on any host it is run you
Related Links  need to be aware of some issues:
Logcheck
PortSentry        * Some signature modules are incomplete and may be buggy
Common              in that they might miss/false alarm in certain
Attacks             instances.
Mailing List      * This software has only been tested on small scale
                    systems by myself. I, therefore, have no idea how large
                    the database will grow on a busy system, although I
                    suspect this won't be a problem.
                  * YOU NEED TO READ THE DOCS, AND I MEAN YOU NEED TO READ
                    ALL OF THE DOCS. Don't install security software of any
                    type before you understand how and how not to use it. I
                    go to great lengths to make informative and detailed
                    documents, do yourself a big favor and take the time to
                    read them.
                  * If you get a Python traceback or other odd error
                    message please send it in to me for analysis. Please
                    detail what caused the traceback and your system specs.
                    Without this information it makes getting a fix much
                    harder.
                  * Realize the program may cause many false alarms the
                    first few days as the database fills with active users.
                    This is normal and you shouldn't panic. It should
                    settle down once user entries have stabilized.

               Requirements

               HostSentry has been only tested on Linux and OpenBSD. The
               only requirement for HostSentry is the installation of the
               Python programming language. Read the install document as
               you must re-compile Python to activate the syslog extension
               module.


               Download

               Since many of you don't want to read the web page (but you
               should read all the docs), here are the download links:

                  * HostSentry software is here
                  * HostSentry PGP signature is here
                  * My PGP key is here
                  * The disclaimer is here

               Also check out PortSentry and Logcheck as you probably want
               to use them too.

               Lastly you should probably join one of the mailing lists
               that have been setup to keep up to date on new happenings.

               It's late at night, do you know what your users are doing?

               Location: Anywhere in the world.

               Date: Tuesday Evening 23:30 hours.

               Home Office: Your Unix system is sitting idle when a
               connection request comes in to the telnet port. A login
               prompt is presented to the guest and it waits patiently for
               the account information to be entered. An account for one of
               your remote sales managers is entered and access is granted
               to the system. This user, who has never logged in before,
               would normally have no idea how to use Unix and certainly
               has no business on the system this late at night. Too bad
               nobody is watching.

               Date: Tuesday Morning 09:00 hours.

               Generic Internet Service Provider (ISP): A web server that
               had been compromised three days prior is sitting on a high
               speed datalink that has visibility into the entire ISP
               backbone. On this server a password sniffer has been running
               for almost 48 hours and has grabbed thousands of account
               usernames and passwords of people using normal Internet
               services such as POP, IMAP, FTP, and HTTP. A remote intruder
               connects to a secret port on the machine from across the
               planet and the entire list of snatched accounts is instantly
               downloaded onto their system. The username and password of
               your sales manager is in there too after he used the ISP to
               dial in and check mail earlier that day.

               Date: Tuesday Evening 23:31 hours.

               Home Office: The person logging in is not who you think they
               are. They used a few grep commands to pick out interesting
               accounts from the sniffer logs and your sales manager was on
               the top of the list. Maybe they think it will be fun to own
               your machines, maybe you have something interesting, or
               maybe it's just your bad day. It doesn't matter; whoever it
               is quickly grabs control of the machine and breaks root
               access. Several backdoors are installed as well as another
               password sniffer to further compromise your network. At this
               point your computer systems are doomed.

               Why weren't you watching?

               HostSentry is the newest addition to the Abacus Project.
               HostSentry is a host based intrusion detection tool that
               performs what is called Login Anomaly Detection (LAD).

               Login Anomaly Detection works by monitoring interactive
               login sessions to the computer system and spotting unusual
               behavior or activity that indicates an intrusion. In the
               case of HostSentry, it uses a dynamic database and modular
               signatures to detect misuse and report or react to the
               events in real-time.

               The biggest flaw with Unix is not any particular exploitable
               hole but the fact that it allows interactive access to
               anyone that asks. Even with new encrypted tools such as SSH,
               there is a significant chance that an intruder can still
               compromise a user account password in a variety of other
               fashions (unencrypted POP, re-use of passwords across hosts,
               unencrypted sessions sniffed before SSH used, plain old bad
               passwords, etc.)

               Unix has a rudimentary (albeit not great) method for login
               accounting and HostSentry attempts to make use of this in an
               automated fashion to spot problems before they become big
               headaches for you. A variety of techniques are used, which
               are explained below.

               What HostSentry does.

               HostSentry monitors the Unix login accounting records
               (wtmp/utmp) for user login activity. This activity indicates
               the following key data:


                  * Username
                  * Login TTY
                  * Login Time
                  * Login Location

               This data is entered into a dynamically generated user
               database that stores the entry permanently for future use.
               Some of the data can be used immediately to spot problems,
               other times the data needs to be collected for many
               consecutive logins to derive meaningful information. In
               either case, the data can be used by the signature modules
               to detect problems on the host.

               What is a signature module?

               A signature module in HostSentry is a module that performs
               one or both of the following:

                  * Login processing
                  * Logout processing

               During a login, each of the signature modules are run, if
               they have a useful function to perform, it is executed on
               the login and specific actions are taken if a violation is
               detected. During logout, the same process is run again, this
               time on the logout functions. Again, if a useful function is
               found it is executed and violations are reported as well.

               This dual-mode operation has several benefits:

                  * User activity that is suspicious can be spotted
                    immediately on login.
                  * User activity that is suspicious and occurred during
                    the login session can be spotted on logout.
                  * Modules can perform dual-functions providing backup
                    assurance to each other for login and logout tracking.

               An example of a module that is only active during login is:
               moduleFirstLogin. This module would run only during the user
               login process and only reports if this is the first time
               this user has logged in.

               An example of a module that is only active during logout is:
               moduleHistoryTruncated. This module checks the user's
               history file on logout to make sure it has not been deleted,
               linked to /dev/null or other device, and is greater than
               zero bytes.

               An example of a module that performs both login and logout
               functions is: moduleLoginLogout. This module simply writes
               to the audit logs that a user has logged in and logged out
               of the host.


               What do all the signature modules do?

               The signature modules perform a variety of functions.
               Because they are modular they can be turned on and off at
               will, and the administrator can add custom modules as
               necessary. Here is the list of modules at this time and
               brief descriptions of their functions (the modules not
               implemented yet state so in the text):

               moduleLoginLogout

               Description:

               This module simply logs whenever any user logs into or out
               of the system. This is a generic audit trail module designed
               to supplement existing logging you may already be doing.

               moduleFirstLogin

               Description:

               Most users have no idea what a Unix shell is let alone how
               to access and use it. As a result, I always recommend that
               you do not give users shell access to ANY system unless they
               specifically request it or it is necessary for your
               particular application to function.

               Because of the above phenomena, it is a significant
               auditable event when a user who has never logged into a
               shell before suddenly does. This may be normal, it may not
               be normal. The admin needs to decide whether it is OK for
               Susie the secretary to be logging in interactively when she
               can barely type.

               This module's sole purpose is to alert you to first time
               logins. This module is especially useful for getting a first
               alert after a user's password has been sniffed. I'd
               recommend you pay attention to this module if you have a
               fairly stagnant user population as many problems start here.



               moduleForeignDomain

               Description:

               Often attackers who compromise a system account with
               sniffers and such will login from domains that clearly have
               no business connecting to your site. Therefore I always
               recommend that you wrap your system services or protect them
               with filters that only let your local domain interact with
               your host.

               This module's purpose is to look at system logins and look
               up the remote host domain. If this domain is not listed in
               the file:

               moduleForeignDomain.allow

               Then it is classified as "foreign" and you will get an
               alert. This is especially useful if you run an ISP in the
               *.com domain and you find a login from someone in Malaysia
               (My apologies to the Malaysian users of this tool :) ).

               If you wish to add known good domains to this file, simply
               pull it into an editor and have at it. This file is
               processed with regex so be careful about using restricted
               characters.


               moduleRhostCheck

               Description:

               A user who makes dangerous modifications to their .rhosts
               file may be up to no good or just ignorant of the security
               implications.

               This module will look at a user's .rhosts file on logout and
               if it contains a wildcard ('+') it will log the event so an
               admin can investigate. Of course you should never allow your
               users to use .rhosts files in any event, they are a horrible
               risk to security (many daemons allow you to shut this
               feature off). I recommend never using the r-services (i.e.
               rsh, rlogin) on any host.

               moduleHistoryTruncated

               Description:

               This module will check the user's history file (depending on
               what shell they are using from /etc/passwd). This will fire
               an alarm if one of the following conditions occurs:

               1) The history file for the shell being used does not exist
               (it may have been erased to cover tracks).

               2) The history file is 0 bytes long (truncated to cover
               tracks).

               3) The history file is a symbolic link. Commonly linked to
               /dev/null to prevent logging of commands. This is almost
               always an indication of a compromise.

               Right now, it only checks for history files for: bash, csh,
               and tcsh. I'm not completely familiar with all the shells,
               so if you have a history file/shell type to contribute
               please mail me.

               If you see this module fire you need to check your system
               for compromise. This is assuming of course the intruder
               didn't break root already and stop HostSentry. :)


               moduleOddDirnames

               Description:

               The user's home directory contains one or more suspicious
               directories. Usually hackers will make a local directory
               named in an odd way to hide their work. This module will
               look for a directory name beginning in ".." (exempting of
               course the real ".."). Common intruder directory names
               include:

               ".. "
               "..."

               etc.

               This module is not totally reliable, as it cannot of course
               check every permutation. It can help the more common methods
               that you'll see beginning hackers or users who are trying to
               hide something employ. If this module fires, you need to
               check the user's directory for the strange entry.


               moduleMultipleLogins

               Description:

               A user is logged in from one or more different hosts
               concurrently. This is a classic sign of an intrusion as user
               accounts are shared among hackers. It is not uncommon to see
               multiple logins from foreign domains which makes multiple
               signatures fire off simultaneously.

               Hosts listed in the file: moduleMultipleLogins.allow will
               never be processed if they are seen in any user login. This
               is useful for users who keep a login session from say a
               terminal at work and then go home to do work concurrently.

               moduleOddLoginTime

               Description:

               The user is logging in at an odd time.

               Not implemented yet.


               moduleInvalidUtmp

               Description:

               The user's utmp entry on logout has been altered/missing.

               Not implemented yet.


               moduleHistorySuspicious

               Description:

               The user's history file contains suspicious commands.

               Not implemented yet.


               moduleNetworkDaemon

               Description:

               The user left a listening network daemon on logout.

               Not implemented yet.


               moduleFileExists

               Description:

               The user has a file/directory in their home directory that
               matches a pre-defined list of banned/monitored files.

               Not implemented yet.



               What else does it do?

               You can add your own modules to suit your tastes.  For
               example:

                  * You can have a module write a message directly to the
                    users screen on login that is time sensitive.
                  * You can have a module perform cleanup operations after
                    a user logs out of the host.
                  * You can have a module e-mail/page you when a particular
                    user logs in.

               The fact is that since the tool is written in a high level
               language like Python, it makes code creation, debugging, and
               implementation much easier and safer. While it's still
               possible to make a module that performs dangerous
               operations, it is far less likely that this operation will
               be unintentional on your part (as opposed to using C). There
               is even a moduleExample wrapper that you can use to base
               your code on.

               The user database stores historical data and this data can
               be used to track and derive metrics for usage on your users.
               I plan on releasing a tool to do exactly this, it will even
               have pretty HTML charts of login activity.

               I have some other ideas too that I don't want to discuss
               right now.

                              ------------------------------
               All Material Copyright ©1996-99 Craig H. Rowland and Psionic Software Systems
                                        Contact Me
                               Page last updated: 1999/05/10