Blocking annoyances
Intruder alert!
Over the years, I've gotten more than my fair share of annoying hits on my server from script kiddies who don't know VMS from Windows or U*X. Fortunately, they've only been annoyances, but rather than take a chance, a couple years ago I kludged together a way to just say no. This is my super-simple, lightweight, intrusion detection and prevention system.Warning: this is a real kludge! But it works.
I use Kronos to run this program every 15 minutes:
$ Set NoOn
$ show intrusion/type=intruder
$ if $status .eq. 1
$ then
$ if .not. f$trnlnm("Intruder$Alert") then pipe show intrusion/type=intrder | -
search sys$pipe intrusion,--------/match=nor | -
mail sys$pipe system/subject="Intruder alert"/NoSig
$ define /system Intruder$Alert True
$ submit/noprint/user=system Kronos_Root:[Misc]BlockIntruder.com
$ else
$ define /system Intruder$Alert False
$ endif
What's this do? It checks to see if there are any intruders listed, and if so, emails a notification and then runs the procedure named BlockIntruder.com. Note the logical prevents the system from checking again if the last run of this program discovered an intruder.
The next procedure does the real work. BlockIntruder.com:
$ pipe sh intr/type=intruder | search sys$pipe network | -
( read sys$pipe intruder ; def/job intruder &intruder )
$ Intruder = f$edit(f$trnlnm("Intruder"),"Trim,Compress")
$ Attempts = f$elem(2," ",Intruder)
$ Intruder = f$elem(5," ",Intruder) - "SSH_PASSWORD:"
$ Intruder = f$elem(0,":",Intruder)
$ write sys$output f$fao("Blocking !AS after !AS attempts.",Intruder,Attempts)
$ TCPIP Set route 'Intruder' /Gateway=Bitbucket
This one checks the output of the Show Intrusion command (performing some normal pipe & logical name machinations to get symbols out of a pipe subprocess using job logicals), then simply sets the route for the "intruder" host to be the Bitbucket. What's that host name translate to? A non-existent host on my network.
What's the net effect? Any inbound packet from that host gets responded to, but not to the host in question. All I do is redirect any output from my host via a non-existent path, the remote host never hears back from me, communications fail, and they go away, thinking I've dropped off the net.
There are many ways this could be improved. Theoretically, it should all be done in one program, not two. Additionally, only one intruder is handled at a time (if I get multiple simultaneous intruders, only the first one is processed, the others are ignored). Some intruders use spoofed addresses, so when they hit my system, the intrusion record shows up as a host name that doesn't necessarily correspond to the real host (although statistically, the vast majority are not quite that elegant) -- meaning I block the wrong host. And it sure would be nice if this program would run whenever an intrusion occured, rather than once every 15 minutes.
But, it sure is nice to see the system get nailed with hundreds of intrusions, only to have that host never bother me again!
six comments:
You mean: TELNET intrusions mainly, I guess. I have deliberately disabled telnet from the Internet in the router; I use SSH on a non-standard port if I need external access.
I scanned accounting and audit log for intrusions but these are rare.
FTP and HTTP cannot be handled this way, even if checked against SYSUAF.
I must have anonymous FTP enabled and this is often used for abuse attempts; over http, leakages in stanndard packages are often tried.
The best protection is to be prepared and not to use default locations and settings; keep all location read-only; user VMS’s logical name faciliy; scan your FTP and HTTP access logs on regular intervals. (My HTTP access logs are cycled and scanned each weekend – I’ll publish the script)
What I would like to have is a check on anonymous FTP checking validity of the email address used as password….
SYSMGR () (URL) - 19-Mar-2008 - 04:32
Actually, I have telnet turned off on my system. This works wonderfully well for both ftp and ssh sessions (if you’ll notice, there’s an explicit handler in the string parsing routine to clean up SSH_PASSWORD.) Just do a “Show intrusion” to see who shows up—this procedure handles the list of those that are available on 7.3-2 (with telnet disabled).
I turned anonymous ftp off years ago. You just can’t be a trusting public service like in the old days… :(
[Aaron] () (URL) - 19-Mar-2008 - 08:13
Hi Aaron,
Sorry to take so long to post this comment – it looks like there might be a typo:
if .not. f$trnlnm(“Intruder$Alert”) then pipe show intrusion/type=intrder | –
Shouldn’t that last word be intruder?
In any case, I modified it slightly to my needs, (TCPware instead of TCP/IP services, JAMS instead of KRONOS) and I’m running it “now”. I’ll give you any feedback as I experience any “hits”.
Thanks!
brad () - 23-Aug-2008 - 20:18
Hi Aaron,
Got my first intruder today – works like a charm! Thanks!
You know, you ought to post the code at dcl.openvms.org – I’m sure the folks over there would be glad to see it. 
brad () - 24-Aug-2008 - 14:53
Silly me – of course intrder works…I’m forgetting more VMS as time goes long…
brad () - 24-Aug-2008 - 18:49
Amazing that it works, Brad! I just looked at the source again and see that it wrapped right at the “u” in question. I must’ve fat-fingered the copy/paste to this article and inadvertently blew away that letter.
And I was going to post it to dcl.openvms.org, but wanted to wait until I consolidated it all into one module rather than the 2 it is. Presuming I ever get the free time to do that!
Glad to read it’s working for you!!
Aaron () (URL) - 25-Aug-2008 - 16:56
No trackbacks: