|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 |
- Poor Man's IDS
- ==============
-
- ### (Yes Women can use it too)
-
- The goal of this project is to keep an eye on the requests going in
- and out of my network onto the Internet (iNet). This is made
- necessary for two reasons:
-
- 1. By looking for unusual activity I can get a heads up about
- unwanted software or even "spy hardware" on my systems, ie.
- "Detect Intrusions".
-
- 2. Almost all software now days, especially those created by gigabuck
- giants, makes requests out onto the iNet that I did not ask for
- and don't want happening. But even Mozilla makes network traffic I
- didn't ask for and don't want.
-
- So this tool is my way of "watching the watchers". This is not a
- plug-n-play tool that _magically_ grants the user a "suit of
- invulnerability". But it is a tool for those looking for more insight
- into their iNet traffic either due to security concerns or curiosity.
-
- This software is in the very early stages. Right now it just combines
- data from logs from a couple of different software packages. I've
- already setup many blocks for traffic I don't want happening, like
- g00gle Analytics, some ad servers, ...
-
- For the curious I'll post my current block lists in this repository
- from time to time. But be **WARNED** that its likely to break your
- iNet experience if you use them. I'm a cyber-rebel at heart and tend
- to take an "if its doing something I don't want, I have no use for
- it" approach. Meaning I'd rather not use a site / program if it
- violates my concerns, rather than just "go with the flow". And I will
- likely discover I'm breaking stuff I actually want, like: I realized
- I've broken my ability to post comments on
- [HaD](https://hackaday.com/), but I was curious about what "Server X"
- did.
-
- So! If you're not "faint of heart" come join me on my adventure in
- iNet security exploration.
-
-
-
- Phase 1 - General Setup & Operation
- -----------------------------------
-
- In general I feel its necessary to have a **real-world** idea of what
- you're dealing with before diving in and writing software to deal
- with what you _think_ your dealing with. So the basic plan is simple:
-
- 1. Setup my network routing devices, which are running Linux, to log
- DNS queries and network connections. Specifically, anything that is
- a _new_ unrelated packet gets logged.
-
- 2. Collect the logs on a machine, with backups on alternate machines.
-
- 3. Run the logs through a filter to combine the DNS query data with
- the packet data.
-
- 4. Analyze results to determine phase 2 needs.
-
- In this phase I'm jumping the gun a bit, but cyber-thugs are actively
- beating on all of our doors, even as I'm getting my stuff together
- and there are certain kinds of traffic I know I want to put an end
- to. In that light I've already spotted interesting servers I'm
- blocking. And I've beefed up my firewall to my mail server with more
- permanent blocks from obvious MTA bashers.
-
- In this phase I'm using the most excellent
- "[dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html)" to log the
- queries **and** block host names I don't want being accessed. I do
- this by assigning the bogus address "127.0.0.255" to the names in my
- server's "hosts" file, which is used by "dnsmasq" to answer DNS
- queries. That address is a **valid** "localhost" address, so will
- **immediately** fail requests unless you put a http(s) server. And
- I'm sure you can imagine those possibilities.
-
- The other source of information and block capabilities is "iptables"
- / "ip6tables". I added rules to log "new" packets. The parsing
- software is what this repository is about right now.
-
-
-
- Note on routers
- ---------------
-
- I'm using Netgear appliances for WiFi and the first tier firewall
- connected to my iNet connection. Since a lot of modern ISP connection
- devices provide their own idea of security I have to turn off their
- firewall stuff and configure them in a transparent bridging
- configuration.
-
- I use Netgear because they actively provide tool chains for select
- models of their equipment and encourage people to load their own
- software mods on them. Have a look at
- [My Open Router](https://www.myopenrouter.com/). On my devices I
- have settled on [Shibby's Tomato](https://tomato.groov.pl/). Its very
- compact, extremely flexible and seems to have everything I've needed
- when I've needed it. As an example my dnsmasq & iptables setup for my
- gateway router required no changes to the firmware. I just put some
- of the lesser used config pages to use.
-
-
-
- The future
- ----------
-
- The goal is an active alert system. This system should provide
- immediate feedback on unknown connections allowing the user to either
- grant or deny access and maintain the appropriate block lists.
-
- But as "reality" exposes itself things are likely to change.
-
-
-
- The CODE
- --------
-
- I'm using C++ to write this. I'm targeting C++98 at this time.
- Although I think C++11 defines the minimum viable version of C++
- there are places that its still not available, which is most likely
- to happen with oddball tool chains like those provided by Netgear.
- But even my RaspberryPI 2B doesn't support it. Well... maybe with an
- OS upgrade... I'm hoping to support a very wide Linux platform
- coverage.
-
- I'm doing all of my development with Linux. It may be possible to do
- something similar, maybe with very little modification, on BSD based
- platforms. I don't have them and therefor won't be personally working
- on it. But, unless it makes things really ugly, I'm not opposed to
- contributions on that front.
-
-
-
- Installation & use
- ------------------
-
- This is still **VERY** crude and incomplete.
-
- 1. Configure the source: the basic setup is hardcoded in the source.
- I'm just testing right now. ;-) There are three lines near the
- bottom of "iptraffic.cpp" to be concerned with:
-
- * `#define PATH "/srv/backups/iptraffic"`: this is the base path
- to the work directory. Its prepended to other paths, read on.
-
- * `ifstream log(PATH "/test.log");`: defines the log file to
- process.
-
- * `ofstream out(PATH "/processed.log");`: the file with the
- combined data that's written out.
-
- * `config.load(PATH "/iptraffic.conf");`: Path to a configuration
- file that lists networks to consider as "us" and connections to
- ignore, basically the set that is considered "OK".
-
- 2. Type "make" to compile. Hopefully it compiles for you.
-
- 3. Run "iptraffic".
-
- 4. Check the output.
|