Le seguenti 332 parole non sono state trovate nel dizionario di 1275 termini (includendo 1275 LocalSpellingWords) e sono evidenziate qui sotto:
about   absolute   Acceptor   action   active   actual   addon   Addons   address   administrator   again   alarm   alarms   alias   allows   already   always   another   applies   apt   assume   at   attack   attacker   attacks   attempt   attempting   attempts   attention   autofwd   automatically   Ban   ban   ban4   ban6   banned   banning   bans   basename   Basically   be   been   Before   behaviour   belongs   between   bin   break   brute   but   by   called   can   care   carried   case   centralize   cfg   Check   check   checked   checks   Checks   client   Cmd   command   commands   communication   community   compile   computer   conf   configuration   configure   confirming   console   contacts   correct   customize   debian   defined   definition   definitions   derived   description   details   detecting   detection   diagnostic   digitalmages   display   distribution   docs   don   done   download   echo   effective   either   enabled   enhancement   enough   enter   environment   equipped   esac   etc   eventually   every   everything   Example   exaplanation   executable   exit   explain   fact   fake   fi   file   flap   follow   following   For   for   force   freshness   from   further   generally   generic   get   gilgamesh   grant   grep   guessing   haven   host   hostgroup   hostgroups   How   how   if   If   immediately   include   indeed   installation   installed   instructed   integrate   integration   interval   into   introduced   ip   ip6tables   iptables   issue   Issue   just   kind   know   Let   let   like   list   listed   listening   local   log   look   mail   make   manual   max   message   misnotified   Missing   modified   monitor   monitored   monitoring   move   Nagios   nagios   nagios3   name   named   ne   necessary   need   net   network   never   new   nobody   normally   note   notification   notifications   notifies   notify   now   Now   nsca   objectdefinitions   offending   ok   on   only   onto   openwrt   operate   operational   options   or   order   package   page   parameters   part   Passive   passive   password   path   pay   performed   place   please   Please   policy   portable   post   prepared   printf   process   projects   protect   put   Pv4   Pv6   received   reference   regarding   register   reset   Restart   return   running   Rustica   Rustica1   same   sbin   section   sections   see   send   sent   servers   services   setting   shall   short   should   side   simple   so   solution   something   somewhere   source   sourceforge   speaking   ssh   sshd   stale   state   Step   submitting   system   tail   takes   terminal   text   that   then   there   these   This   this   time   to   To   too   tool   Unban   unban   unban4   unban6   unbanned   unbanning   underestimated   unified   Up   up   upon   Usage   use   using   usr   usually   v4   v6   var   very   via   volatile   want   way   we   went   what   when   where   which   will   with   wont   work   working   works   wrapper  

Nascondi questo messaggio

Italiano English
Modifica History Actions

NagiosAutofwd

Le sedi di Ninux sono:

a Roma presso il FusoLab

  • Fusolab

a Pisa all'EigenLab

  • Eingelab

a Cosenza presso la sede dell'Hacklab Cosenza

  • HLCS

a Catanzaro presso la sede dell'Hacklab Catanzaro

  • HLCZ

a Firenze presso l'exfila

  • exfila

a Bologna presso il makerspace di RaspiBO

  • NinuxBO

Ninux.org partecipa al World IPv6 day

  • WorldIpv6Day

How to integrate autofwd with Nagios

The autofwd tool is a very simple, portable and effective solution to protect a server (or a PC) from brute force password attacks, usually attempting to break into the computer via sshd but, generally speaking, to force any local service via password guessing.

Basically autofwd, upon detecting an attack, bans the offending IP (either v4 or v6) and then notifies the administrator with a mail message.

This behaviour is normally enough but, if you have already in place a working Nagios monitoring service, you may want to notify the Nagios console about every ban and unban action carried by autofwd, in order to centralize to the unified Nagios console these kind of alarms, too. In this post I will explain how to do this.

In the following text I will assume that you already have a working installation of autofwd in place and that there is, on your network, a Nagios version 3 server, where a nsca process is listening for passive commands.

Step 1: install the nsca client part on the host where autofwd is running

You can download the source of nsca and compile it or, on a debian-derived linux distribution, you just enter in a terminal: apt-get install nsca and the work is done.

Now you have the send_nsca executable installed somewhere in your file system and that's all we need from the nsca package.

Step 2: configure autofwd

If you haven't introduced any enhancement to your base autofwd installation, the operational part your actual autofwd.conf should look something like this: 

# Ban IPv4 Cmd: Command to execute to ban an IP 
Ban IPv4 Cmd: /sbin/iptables -I INPUT -s __IP__ -j DROP 

# Unban IPv4 Cmd: Command to execute to unban an IP 
Unban IPv4 Cmd: /sbin/iptables -D INPUT -s __IP__ -j DROP

The same applies for IPv6 so I wont copy it again.

In order to let Nagios know that a banning/unbanning action has been performed, we have to operate in the Ban Cmd sections above, which can be modified as follows (pay attention to the absolute path of the commands and customize as necessary for your environment): 

#!/bin/sh 
# ban_check: wrapper to extend autofwd actions, alerting Nagios 
# To be run on the same host where autofwd is 
# 
# Requires: nsca package (for send_nsca) and a working Nagios server 
# 
# Author: Niccolo Avico (niccolo.avico@gmail.com) 
# 
# Usage: ban_check { ban4 | ban6 | unban4 | unban6 } 
# 
#       ban4 (bans as an IPv4 address) 
#       ban6 (bans as an IPv6 address) 
#       unban4 (unbans as an IPv4 address) 
#       unban6 (unbans as an IPv6 address) 
# 

TAG_IP=$2 

USAGE="Usage: `basename $0` { ban4 | ban6 | unban4 | unban6 } " 
return_code=-1 
NSCA_CONFIG=/etc/nagios/send_nsca.cfg 

# LOCAL_HOSTNAME corresponds to the name by which this host is known to Nagios 
LOCAL_HOSTNAME="HS-Rustica1" 

# NAGIOS_SERVER is where the Nagios console is running in your network 
NAGIOS_SERVER=10.1.0.2 

# NAGIOS_SERVICE is the name by which Nagios knows autofwd 
NAGIOS_SERVICE="autofwd" 

if [ $# -ne 2 ]; then 
  echo "${USAGE}" >&2 
  exit 1 
fi 

# Exit if send_nsca package is not installed 
if [ -x /sbin/send_nsca ]; then 
  echo "Missing package send_nsca." >&2 
  exit 4 
fi 

case "$1" in 
  ban4) 
    iptables -I INPUT -s $TAG_IP -j DROP 
    return_code=2 
    action="IPv4 ${TAG_IP} banned." 
  ;; 
  ban6) 
    ip6tables -I INPUT -s $TAG_IP -j DROP 
    return_code=2 
    action="IPv6 ${TAG_IP} banned." 
  ;; 
  unban4) 
    iptables -D INPUT -s $TAG_IP -j DROP 
    return_code=1 
    action="IPv4 ${TAG_IP} unbanned." 
  ;; 
  unban6) 
    ip6tables -D INPUT -s $TAG_IP -j DROP 
    return_code=1 
    action="IPv6 ${TAG_IP} unbanned." 
  ;; 
  *) 
    echo "${USAGE}" >&2 
    exit 3 
  ;; 
esac 

# Now inform Nagios about this action: 
# pipe the service check info into the send_nsca program, which 
# in turn transmits the data to the nsca daemon on the central 
# monitoring server 

/usr/bin/printf "%s\t%s\t%s\t%s\n" "$LOCAL_HOSTNAME" "$NAGIOS_SERVICE" "$return_code" "$action" | /usr/sbin/send_nsca -H $NAGIOS_SERVER -c $NSCA_CONFIG 

exit $?

Please note that we want to send Nagios a CRITICAL (return_code=2) alarm when autofwd will ban an attacker and a WARNING (return_code=1) alarm when autofwd will unban it (if autofwd.conf allows to do so).

Let's put the wrapper in a file called /etc/nagios/ban_check and make it executable.

Before using it, you must customize the wrapper with the correct IP address of your Nagios server ($NAGIOS_SERVER) and put the Nagios short name for the host ($LOCAL_HOSTNAME), as it is defined in your Nagios console.

Step 4: configure Nagios for the autofwd service

Up to now we have prepared the client side of the integration. In order for Nagios to process autofwd actions and display them as alarms for you host, we now move onto the Nagios server and define a new Nagios service, called autofwd (as it is named in the wrapper); for it to work you can copy the following definitions in a new autofwd.cfg file. 

define hostgroup { 
  hostgroup_name        autofwd-servers 
  alias                 Server equipped with autofwd 
} 

define service { 
  hostgroup_name                autofwd-servers 
  service_description           autofwd 
  check_command                 return-ok       ; always return OK 
  use                           generic-service 
  max_check_attempts            1        ; immediately put in HARD state 
  active_checks_enabled         0        ; only passive checks 
  passive_checks_enabled        1 
  is_volatile                   1        ; EVERY check is an alarm 
  check_freshness               0        ; don't check for stale state 
  flap_detection_enabled        0        ; by definition it will flap CRITICAL/WARNING 
  notification_options          c,r 
  notifications_enabled         1 
  notification_interval         0 
}

For a further exaplanation of the parameters, please follow the Nagios reference page.

Step 5: on the Nagios server, include the new service in your host definition

In the define host section of your Nagios configuration regarding the monitored host, add autofwd-servers to the list of hostgroups to which the host belongs. Example: 

define host{ 
  host_name             HS-Rustica1 
  alias                 POP ninux.org at Rustica
  hostgroups            openwrt-servers, http-servers, ssh-servers, autofwd-servers 
  active_checks_enabled 0 
  address               10.1.0.22 
  use                   generic-host 
  contacts              gilgamesh 
  register              1 
}

Step 6: test

Restart the Nagios service and, if everything went ok, you should see in the web Nagios console a new service called autofwd, listed with the other services checked for your host.

To check that the communication between client and server works you can now monitor the Nagios log file for autofwd notifications; log into the Nagios server and just issue on a terminal: 

nagios-server:$ tail -f /var/log/nagios3/nagios.log | grep autofwd

Open another terminal and log into the monitored host. Issue a ban_check command about a fake detection: 

host:$ ban_check ban4 ''fake-ip''

You should see immediately, from the Nagios log, a diagnostic message received from send_nsca, confirming that the command has been sent to the nagios server. In fact the first terminal should now display a PASSIVE CHECK notification about you host and the banning action just performed; at the same time the Nagios console shall put in a CRITICAL state the autofwd service for that host.

If this is your case, CONGRATULATIONS: your integration from autofwd to Nagios is done!

IMPORTANT NOTE: due to the behaviour of no volatile services in Nagios, this CRITICAL state will never be reset automatically by the system (and this is what we want, indeed): if nobody takes care of the alarm, the autofwd process will eventually unban the IP (if instructed to do so) and the service state will move from CRITICAL to WARNING. The only way to reset to OK that state is to issue a manual command to Nagios, submitting a passive service check from the web console.

This policy should grant that no attack attempt to your host shall be underestimated or misnotified.

l'ultima modifica รจ del 2011-09-02 06:54:15, fatta da NiccoloAvico