Index of /~bbrazil/code/brmon

Icon  Name                    Last modified      Size  Description
[DIR] Parent Directory                             -   
[   ] BrMon-0.1.tar.gz        26-Dec-2005 17:52   10K  
[TXT] README                  26-Dec-2005 17:54  2.8K  
[DIR] src/                    26-Dec-2005 17:54    -   

$Id: README,v 1.5 2005/12/26 17:53:46 bbrazil Exp $
BrMon 0.1 Copyright Brian Brazil <bbrazil@netsoc.tcd.ie> 2005

This is a set of scripts intended to detect unknown daemons and break-ins via
ssh and Apache. If something is found an email will be sent to root.

Mostly as a side effect it can also detect runaway Apache requests, daemons
that should be running but aren't and general leftover processes (lynx seems to
be somewhat common).

Software requirements are standard UNIX tools (sort, cut, sed, ps, pgrep etc.)
and gawk. These scripts were developed on Solaris 8 and ported to also work on
Debian Sarge GNU/Linux. Output format may vary slightly between platforms.

These are released under version 2 of the Gnu Public License.

*************
* Rationale *
*************
Website compromises usually start some processes hanging off PHP. These can be
detected as they'll have been running longer than a PHP script should be
running (a few seconds). Alternatively they could start a daemon.

For ssh brute force attacks you see a lot of attempts to login from one IP
address. If there's a successful login from that IP, then that account has been
compromised.

********************
* ssh_brute_finder *
********************
This looks at your sshd.log for hosts that had over a certain threshold of
failed passwords and/or invalid users. Once that threshold is crossed it's
deemed to be an attacker, and any successful logins from that IP address are
flagged.

Also, if any user has had more than 10 failed passwords they will be flagged.

Note that this requires a 'LogLevel VERBOSE' in your sshd_config. I suggest
rotating your sshd.log daily and running this on the previous day's log via
logrotate.

Running John the Ripper regularly is also advised as a preventative measure.

***********************
* long_running_apache *
***********************
This looks for process spawned by apache that started (by default) over 10
minutes ago. It'll then list these, and their children (if any).

Note that this is different from PHP's max-execution-time, which only counts
user time, not wall time.

An easy way to test this is to run the following 1 line PHP script from Apache:
<?php `sleep 3600` ?>

******************
* daemon_monitor *
******************
This looks for all processes with a PPID of 1. First it checks that all your
system daemons are running. Then it looks for non-system processes that aren't
known to it.

This script has 2 configuration files. One specifies the system daemons, the
other the known daemons. These files must be sorted with sort(1), the format is
the same as the output of daemon_monitor.

*********
* Notes *
*********

All these programs are in some way configurable. In addition you can specify a
filter for long_running_apache and daemon_monitor for it to ignore certain
processes. Examples are included in the source.