Simple scripts for security in computer networks
- Linux machine
- Mailserver (if You want recieved messages on email)
git clone https://github.com/futszak/WatchmanFW.git cd WatchmanFW chmod u+x watchmanfw mv watchmanfw-sample.ini watchmanfw.ini (edit watchmanfw.ini) ./watchmanfw &
How its works ?
Rsyslog on linux machine recieved information (in UDP datagrams) about operations on local machine and on remote machines and writing in one or many files (look at /etc/rsyslog.conf).
Apr 2 09:25:42 menel sshd: pam_unix(sshd:auth): check pass; user unknown Apr 2 09:25:42 menel sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.127.116.11 Apr 2 09:25:44 menel sshd: Failed password for invalid user vf from 18.104.22.168 port 34030 ssh2 Apr 2 09:25:44 menel sshd: Received disconnect from 22.214.171.124 port 34030:11: Bye Bye [preauth] Apr 2 09:25:44 menel sshd: Disconnected from 126.96.36.199 port 34030 [preauth] Apr 2 09:25:49 menel sshd: Accepted password for trainee from 188.8.131.52 port 57860 ssh2
In logs is many information about failed login attempts, this is information noiss. If i have small server (example VPS on qnap disk storage), important information (in real time) for me is about successful login attempt.
Warchmanfw reading in real time there information and checks compliance with standard strings.
/firstname.lastname@example.org: menel,Accepted password for trainee
If on machine menel ustr trainee was logged (strings "menel" and "Accepted password for trainee") watchmanfw sending email to user email@example.com witch information about this.
/firstname.lastname@example.org: menel,Accepted password for
If on machine menel any user (also trainee) was logged (strings "menel" and "Accepted password for") watchmanfw sending email to user email@example.com witch information about this.
Second functionality (for Mikrotik)
This functionality is as port knocking, but this is "correct login knocking".
/etc/watchmanfw/watchmanfw.ini [mikrotik] address = address of Your Mikrotik username = username password = password whitelist = whitelist timeout = 1d [machine] name = machine_name user = username lstring = Accepted password for
Section [mikrotik] this is credential for API in main router Mikrotik. Section [machine] has correct login strings. If there are in logs, api added source address to the whitelist (whitelist name in [mikrotik] section) on specified in timeout (section [mikrotik]) time.
Next you should add sections on your mikrotik:
/ip firewall address-list add address=external_address list=my add address=watchmanfw_address list=whitelist /ip firewall filter add action=accept chain=input comment="pass syn packets for whitelist" dst-address-list=my protocol=tcp src-address-list=whitelist add action=drop chain=input comment="drop all if no whitelist" dst-address-list=my protocol=tcp
follow.py - function for reading rsyslog files sndmail.py - function for sending mails watchmanfw - main script watchmanfw.ini - config for main script watchmanFW.png - functionality on graphic