New port: hunch - Scan httpd log files, find vulnerability probes,

mail admins Scan Apache log files for CodeRed, Nimda, FormMail, proxy scanners and other malicious probes. For each one found, track down the contact email from WHOIS data and send a notice. Built-in rate controls prevent flooding an admin even when his machines are scanning at high rates. Runs as a non-privileged cron job to not interfere with the HTTP daemon's operation. Notes to committer: 1. This port installs a user and a group "hunch". It doesn't meet the conditions listed in the handbook for a "reserved" uid/gid. 2. portlint will complain about the port. A lot. To the best of my judgment all of the warnings can be ignored with the exception of the one about BATCH which I could find no documentation for. Therefore it is setting IS_INTERACTIVE. PR: ports/44836 Submitted by: Dan Pelleg <daniel+hunch@pelleg.org>
svn path=/head/; revision=87873
2024-11-23 00:43:28 +00:00 · 2003-08-28 09:21:14 +00:00 · 2003-08-28 09:21:14 +00:00 · efe705504a · 2021-03-31 03:12:20 +00:00
commit efe705504a
parent 50fb5a0f3d
8 changed files with 378 additions and 0 deletions
--- a/security/Makefile
+++ b/security/Makefile
@ -101,6 +101,7 @@
    SUBDIR += hlfl
    SUBDIR += hostsentry
    SUBDIR += hping
+    SUBDIR += hunch
    SUBDIR += hydra
    SUBDIR += ident2
    SUBDIR += identify
--- a/security/hunch/Makefile
+++ b/security/hunch/Makefile
@ -0,0 +1,33 @@
+# New ports collection makefile for: hunch
+# Date created:		26 October 2002
+# Whom:			Dan Pelleg <daniel+hunch@pelleg.org>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	hunch
+PORTVERSION=	1.0
+CATEGORIES=	security
+MASTER_SITES=	http://web.cs.cmu.edu/~dpelleg/download/
+
+MAINTAINER=	daniel+hunch@pelleg.org
+COMMENT=	Scan httpd log files, find vulnerability probes, mail admins
+
+RUN_DEPENDS=	${SITE_PERL}/Net/SMTP.pm:${PORTSDIR}/net/p5-Net
+
+IS_INTERACTIVE=	yes
+WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
+NO_PACKAGE=	too interactive
+NO_BUILD=	true
+USE_PERL5=	YES
+
+do-install:
+	@${ECHO_MSG} "Installing files"
+	@${INSTALL_DATA} ${WRKSRC}/etc/hunch-special ${PREFIX}/etc
+	@${INSTALL_SCRIPT} ${WRKSRC}/bin/complain-httpd ${PREFIX}/bin
+	@${INSTALL_SCRIPT} ${WRKSRC}/bin/contact ${PREFIX}/bin
+
+post-install:
+	@PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+
+.include <bsd.port.mk>
--- a/security/hunch/distinfo
+++ b/security/hunch/distinfo
@ -0,0 +1 @@
+MD5 (hunch-1.0.tar.gz) = a5abf88c516e341cda723aaddfdc6aa6
--- a/security/hunch/pkg-deinstall
+++ b/security/hunch/pkg-deinstall
@ -0,0 +1,97 @@
+#! /bin/sh
+
+#
+# Adapted from pkg-deinstall in net/cvsup-mirror,
+# presumably by jdp@FreeBSD.org
+#
+
+user=hunch
+group=hunch
+
+ask() {
+    local question default answer
+
+    question=$1
+    default=$2
+    if [ -z "${PACKAGE_BUILDING}" ]; then
+	read -p "${question} [${default}]? " answer
+    fi
+    if [ x${answer} = x ]; then
+	answer=${default}
+    fi
+    echo ${answer}
+}
+
+yesno() {
+    local dflt question answer
+
+    question=$1
+    dflt=$2
+    while :; do
+	answer=$(ask "${question}" "${dflt}")
+	case "${answer}" in
+	[Yy]*)		return 0;;
+	[Nn]*)		return 1;;
+	esac
+	echo "Please answer yes or no."
+    done
+}
+
+delete_account() {
+    local u g home
+
+    u=$1
+    g=$2
+    if yesno "Do you want me to remove group \"${g}\"" y; then
+	pw groupdel -n ${g}
+	echo "Done."
+    fi
+    if yesno "Do you want me to remove user \"${u}\"" y; then
+	eval home=~${u}
+	pw userdel -n ${u}
+	echo "Done."
+	if [ -d "${home}" ]; then
+	    echo "Please remember to remove the home directory \"${home}\" as"
+	    echo "well as the mirrored files."
+	fi
+    fi
+}
+
+if [ x$2 != xDEINSTALL ]; then
+    exit
+fi
+
+export PATH=/bin:/usr/bin:/usr/sbin
+
+if ps -axc | grep -q complain-httpd; then
+    if yesno "There are some complain-httpd processes running.  Shall I kill them" y
+    then
+	killall complain-httpd
+	sleep 2
+    else
+	echo "OK ... I hope you know what you are doing."
+    fi
+fi
+
+tmp="/etc/#hunch$$"
+trap "rm -f ${tmp}" 0 1 2 3 15
+
+rm -f /var/db/hunch-timestamp
+
+if yesno "Do you want me to remove scheduled complaints from \"/etc/crontab\"" y
+then
+    sed "/complain-httpd/d" /etc/crontab >${tmp} || exit
+    chmod 644 ${tmp}
+    mv ${tmp} /etc/crontab || exit
+    echo "Done."
+fi
+
+if yesno "Do you want me to remove the hunch log entry from \
+\"/etc/newsyslog.conf\"" y; then
+    sed "/hunch\.log/d" /etc/newsyslog.conf >${tmp} || exit
+    chmod 644 ${tmp}
+    mv ${tmp} /etc/newsyslog.conf || exit
+    echo "Done."
+fi
+
+delete_account ${user} ${group}
--- a/security/hunch/pkg-descr
+++ b/security/hunch/pkg-descr
@ -0,0 +1,9 @@
+Scan Apache log files for CodeRed, Nimda, FormMail, proxy scanners and
+other malicious probes. For each one found, track down the contact email
+from WHOIS data and send a notice. Built-in rate controls prevent flooding
+an admin even when his machines are scanning at high rates. Runs as a
+non-privileged cron job to not interfere with the HTTP daemon's operation.
+
+-- Dan Pelleg
+
+daniel+hunch@pelleg.org
--- a/security/hunch/pkg-install
+++ b/security/hunch/pkg-install
@ -0,0 +1,229 @@
+#! /bin/sh
+
+#
+# Adapted from pkg-install in net/cvsup-mirror,
+# presumably by jdp@FreeBSD.org
+#
+
+user=hunch
+group=hunch
+
+interval=4
+
+ask() {
+    local question default answer
+
+    question=$1
+    default=$2
+    if [ -z "${PACKAGE_BUILDING}" ]; then
+	read -p "${question} [${default}]? " answer
+    fi
+    if [ x${answer} = x ]; then
+	answer=${default}
+    fi
+    echo ${answer}
+}
+
+yesno() {
+    local dflt question answer
+
+    question=$1
+    dflt=$2
+    while :; do
+	answer=$(ask "${question}" "${dflt}")
+	case "${answer}" in
+	[Yy]*)		return 0;;
+	[Nn]*)		return 1;;
+	esac
+	echo "Please answer yes or no."
+    done
+}
+
+make_account() {
+    local u g gcos homeopt home
+
+    u=$1
+    g=$2
+    gcos=$3
+    homeopt=${4:+"-d $4"}
+
+    if pw group show "${g}" >/dev/null 2>&1; then
+	echo "You already have a group \"${g}\", so I will use it."
+    else
+	echo "You need a group \"${g}\"."
+	if which -s pw && yesno "Would you like me to create it" y; then
+	    pw groupadd ${g} || exit
+	    echo "Done."
+	else
+	    echo "Please create it, and try again."
+	    if ! grep -q "^${u}:" /etc/passwd; then
+		echo "While you're at it, please create a user \"${u}\" too,"
+		echo "with a default group of \"${g}\"."
+	    fi
+	    exit 1
+	fi
+    fi
+    
+    if pw user show "${u}" >/dev/null 2>&1; then
+	echo "You already have a user \"${u}\", so I will use it."
+    else
+	echo "You need a user \"${u}\"."
+	if which -s pw && yesno "Would you like me to create it" y; then
+	    pw useradd ${u} -g ${g} -h - ${homeopt} \
+		-s /nonexistent -c "${gcos}" || exit
+	    echo "Done."
+	else
+	    echo "Please create it, and try again."
+	    exit 1
+	fi
+    fi
+
+    if [ x"$homeopt" = x ]; then
+	eval home=~${u}
+	if [ ! -d "${home}" ]; then
+	    if yesno \
+		"Would you like me to create ${u}'s home directory (${home})" y
+	    then
+		(umask 77 && \
+		    mkdir -p ${home}/) || exit
+		chown -R ${u}:${g} ${home} || exit
+	    else
+		echo "Please create it, and try again."
+		exit 1
+	    fi
+	fi
+    fi
+}
+
+case $2 in
+
+POST-INSTALL)
+    # . ${base}/config.sh || exit
+
+    if which -s pw && which -s lockf; then
+	:
+    else
+	cat <<EOF
+
+This system looks like a pre-2.2 version of FreeBSD.  I see that it
+is missing the "lockf" and/or "pw" utilities.  I need these utilities.
+Please get them and install them, and try again.  You can get the
+sources from:
+
+  ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.bin/lockf.tar.gz
+  ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz
+
+EOF
+	exit 1
+    fi
+
+    echo ""
+    make_account ${user} ${group} "Probe-griping user" "/nonexistent"
+ 
+    echo "Fixing ownerships and modes"
+    chown ${user}:${group} ${PREFIX}/etc/hunch-special
+    misc_files="/var/db/hunch-timestamp /var/log/hunch.log"
+    touch $misc_files
+    chown ${user}:${group} $misc_files
+    chmod 664 ${PREFIX}/etc/hunch-special $misc_files
+
+    echo ""
+    if grep -q "^[^#]*/var/log/hunch.log" /etc/newsyslog.conf; then
+	echo -n "It looks like you already have some logging set up, so I "
+	echo "will use it."
+    else
+	if yesno "Would you like me to set up log rotation" y; then
+	    echo "Adding hunch log entry to \"/etc/newsyslog.conf\"."
+	    cat <<EOF >>/etc/newsyslog.conf
+/var/log/hunch.log	hunch:hunch		644  3    100    *    Z
+EOF
+	    echo "Done."
+	else
+	    cat <<EOF
+OK, please remember to do it yourself.  You should add an entry to
+"/etc/newsyslog.conf".
+EOF
+	fi
+    fi
+
+    echo ""
+    if grep -q "^[^#]*${PREFIX}/bin/complain-httpd" /etc/crontab; then
+	echo "It looks like your crontab is already set up, so I'll use that."
+    else
+	if [ ${interval} -eq 1 ]; then
+	    updstr="hourly complaints"
+	else
+	    updstr="complaints every ${interval} hours"
+	fi
+	if yesno "Would you like me to set up your crontab for ${updstr}" y
+	then
+	    echo "Scheduling ${updstr} in \"/etc/crontab\"."
+	    delay=5
+	    now=$(date "+%s")
+	    start=$((${now} + ${delay}*60))
+	    hh=$(date -r ${start} "+%H")
+	    mm=$(date -r ${start} "+%M")
+	    h=$((${hh}))
+	    m=$((${mm}))
+	    if [ ${interval} -eq 1 ]; then
+		hstr="*"
+	    else
+		h0=$((${h} % ${interval}))
+		if [ ${interval} -eq 24 ]; then
+		    hstr=${h0}
+		else
+		    h1=$((${h0} + 24 - ${interval}))
+		    hstr=${h0}-${h1}/${interval}
+		fi
+	    fi
+	    cat <<EOF >>/etc/crontab
+${m}	${hstr}	*	*	*	${user} ${PREFIX}/bin/complain-httpd /var/log/httpd-access.log >> /var/log/hunch.log 2>&1
+EOF
+	    cat <<EOF
+Done.
+EOF
+	else
+	    cat <<EOF
+OK, please remember to do it yourself.  The crontab entry should run
+"${PREFIX}/bin/complain-httpd /var/log/htppd-access.log" as user ${user}
+EOF
+	fi
+    fi
+
+    echo ""
+	if yesno "Would you like me to set up the sender's address as it appears on outgoing complaints" y; then
+        host=`hostname`
+        sender=$(ask "Enter sender's email address" "root@$host" )
+        tmp="${PREFIX}/bin/#complain-httpd$$"
+        trap "rm -f ${tmp}" 0 1 2 3 15
+        sed "s/sender = ''/sender = '$sender'/" ${PREFIX}/bin/complain-httpd >${tmp} || exit
+        chmod 755 ${tmp}
+        mv ${tmp} ${PREFIX}/bin/complain-httpd || exit
+	    echo "Done."
+	else
+	    cat <<EOF
+OK, please remember to do it yourself.  You should modify the "my \$sender=''"
+line in "${PREFIX}/bin/complain-httpd".
+EOF
+    fi
+
+    echo ""
+    echo "I can enable hunch right now, or leave it in parse-only mode"
+    echo "which will scan the logs and determine the contacts, but"
+    echo "will not actually send any mail."
+	if yesno "Would you like me enable hunch in mail-sending mode" y; then
+        nomail=0
+    else
+        nomail=1
+    fi
+    tmp="${PREFIX}/bin/#complain-httpd$$"
+    trap "rm -f ${tmp}" 0 1 2 3 15
+    sed "s/no_mailing = .*;/no_mailing = $nomail;/" ${PREFIX}/bin/complain-httpd >${tmp} || exit
+    chmod 755 ${tmp}
+    mv ${tmp} ${PREFIX}/bin/complain-httpd || exit
+	echo "OK."
+
+    echo ""
+    echo "You are now hunch-enabled"
+    ;;
+esac
--- a/security/hunch/pkg-message
+++ b/security/hunch/pkg-message
@ -0,0 +1,5 @@
+Note that some WHOIS servers have specific
+terms of use, which they assume you to have
+accepted by issuing a query. Do not use
+this package if you do not agree to those
+licenses.
--- a/security/hunch/pkg-plist
+++ b/security/hunch/pkg-plist
@ -0,0 +1,3 @@
+bin/complain-httpd
+bin/contact
+etc/hunch-special
				`@ -0,0 +1 @@`
				`MD5 (hunch-1.0.tar.gz) = a5abf88c516e341cda723aaddfdc6aa6`