|
Project Information
Links
|
The problem: Only a tiny fraction of hacking attempts are ever reported, only a small number of those are traced and very few hackers are ever caught. Amateur hackers need to be detered from following a life of net crime. The solution: Get more incidents reported and capture the evidence required to persue action against the hacker. How hackstop helps: It monitors the entry point (in future points) and identifies suspiscious activity. When that activity passes a certain thresholds it reports the activity via email and takes steps to prevent further hacking attempts. It is designed for SME organisations, i.e. the ones who have a simple VPN or remote access point - but no budget for a full blown security team. 'You wouldn't let somone come up to your house every night and try 500 keys in the door without reporting it.' Status: Alpha level code, but in production use Current Functionality: Operating Systems: Fedora Core 4&5, but should work on most Linux distros. Monitors /var/log/secure Identifies both long running and short burst attacks. Distinct reporting and banning thresholds WARNING: Updates /etc/hosts.deny Report includes accurate timestamping and attack history data. Avoids double reporting. Roadmap: Monitor for other types of hacking Use of database rather than in-memory recording of events Addition of post attack followup report with raw log extracts Proper init.d start/stop scripts Externalisation (& i18n) of report template Integration with firewall controls Installation Instructions (Linux): 1. Download hackstop.pl and put it into your favoutite place for security scripts (e.g. /usr/sbin). Make sure it is secure. 2. Check that you have the following perl modules available on your system: Unix::PID and File::Tail::App; if not install them (fyi 'perl -MCPAN -e shell') 3. Edit the parameters at the top of the script. You will need to set the abuse and your admin email address. Also your contact details and ip address. Feel free to adjust the thresholds. 4. IMPORTANT You should agree with your isp or whoever the abuse email will go to that they will accept it and do something with it. 5. Add the following line to your /etc/rc.local (or equivalent) nohup /my/chosen/path/hackstop.pl >> /var/log/hackstop.log & 6. Run the same command from the command line as root to start it. Testing: Start with an internal abuse email address until you are happy with the reporting. You can also change the monitored file to be something like '/root/test.log' and then inject previous logs into that test file ('cat /var/log/secure.2 >> /root/test.log') to see how the script handles them. hacktop vs. DenyHosts DenyHosts is a more high tech solution, with an established history of managing to "proactively thwart attacks". hackstop is orientated towards reporting the problem, and only stops the attack later. The two projects do the same job, hackstop exists because thwarting the hacker is not enough. Note on reporting abuse: There is no central location for reporting hacking attempts (yet). You could contact the abuse@ of the hacking source, but that takes time and effort to track down. The best place to report it to is your own ISP abuse email, who usually will be aware of attacks against multiple targets from one source and can aggregate information. But you must talk to them first to check that they will accept it. If you improve on it them please feel free to contribute that back to the community. |
|