Monday, 26 September 2016

Pix log analysis

I've been logging all the Pix messages to the system log on a server, and I told that server to keep the Pix messages in a separate file. Today, I had a look at that file.

There were a third of a million messages, and that's just two day's worth. So I wrote a program.

# Analyse pixlog

open PIXLOG, "/var/log/pixlog";
while (<PIXLOG>) {
  if (/exceeds configured limit/) {$bigdns ++; next}
  if (/outside:outside-interface\/23/){$outsidetelnet ++; next}
  if (/outside:outside-interface\/2323/){$outsidetelnet ++; next}
  if (/outside:outside-interface\//){$outsideother ++; next}
  if (/\/23 by access-group \"outside_access_in\"/){$telnet ++; next}
  if (/\/2323 by access-group \"outside_access_in\"/){$telnet ++; next}
  if (/Deny tcp .*outside.*outside.*\/(\d*)/ and $1 > 1023) {$denyootcpgt1024 ++; next}
  if (/Deny udp .*outside.*outside.*\/(\d*)/ and $1 > 1023) {$denyooudpgt1024 ++; next}
  if (/Deny tcp .*outside.*dmz.*\/(\d*)/ and $1 > 1023) {$denyodtcpgt1024 ++; next}
  if (/Deny udp .*outside.*dmz.*\/(\d*)/ and $1 > 1023) {$denyodudpgt1024 ++; next}
  if (/Deny tcp .*outside.*inside.*\/(\d*)/ and $1 > 1023) {$denyoitcpgt1024 ++; next}
  if (/Deny udp .*outside.*inside.*\/(\d*)/ and $1 > 1023) {$denyoidpgt1024 ++; next}
  if (/Deny.*outside.*outside:212.58.55.(\d*)/ and $1 > 224) {$nosuchserver ++; next}

  if (/Deny.*outside.*(outside|dmz|inside).*\/445/) {$samba ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/111/) {$rpc ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/13[789]/) {$samba ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/587/) {$port587 ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/22/) {$ssh ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(343|433|995|500|444|161|1000|8[123456789]|123|17|19|523|520|456|623|417|135|389|990)/) {$ports ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(21|69)/) {$ftp ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(53)/) {$dns ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(25)/) {$email ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(143|110)/) {$imap ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(80|443)/) {$http ++; next}
  if (/Invalid destination for ICMP error message/){$invalidicmpdest ++; next}
  if (/dst outside:global-out/) {$globalout ++; next}

  if (/regular translation creation failed for icmp src dmz:nsint1-2/) {$regnsint1 ++; next}
  if (/regular translation creation failed for icmp src dmz/) {$regdmz ++; next}
  if (/Deny IP due to Land Attack from up-works-out to up-works-out/) {$land ++; next}
  if (/Denied ICMP type=0, from laddr/)  {$icmp0 ++; next}
  if (/Denied ICMP type=3, code=3/)  {$icmp3 ++; next}
  if (/No translation group found for udp src dmz:sadii.*53/) {$notrans ++; next}
  if (/Deny icmp src dmz:\d/) {$icmpfromd ++; next}
  if (/Deny tcp src dmz:\d/) {$tcpfromd ++; next}
  if (/Deny ucp src dmz:\d/) {$ucpfromd ++; next}
  if (/ {$accessto192 ++; next}
  if (/reason: MSS exceeded/) {$mssexceeded ++; next}
  $other ++;
  print $_;
close PIXLOG;

print "bigdns = $bigdns  telnet = $telnet outsidetelnet = $outsidetelnet  outsideother = $outsideother \n";
print "deny-oo-udpgt1024 = $denyooudpgt1024  deny-oo-tcpgt1024 = $denyootcpgt1024\n";
print "deny-od-udpgt1024 = $denyodudpgt1024  deny-od-tcpgt1024 = $denyodtcpgt1024\n";
print "deny-oi-udpgt1024 = $denyoiudpgt1024  deny-oi-tcpgt1024 = $denyoitcpgt1024\n";
print "nosuchserver = $nosuchserver samba = $samba port587 = $port587 ssh = $ssh ports = $ports ftp = $ftp http = $http dns = $dns rpc = $rpc\n";
print "invalidicmpdest = $invalidicmpdest global-out = $globalout icmp0 = $icmp0  icmp3 = $icmp3 email = $email imap = $imap \n";
print "voldsout = $voldsout regular translation nsint1 = $regnsint1  regular translation dmz = $regdmz land = $land\n";
print "notrans = $notrans icmp, tcp, udp from d = $icmpfromd, $tcpfromd, $ucpfromd accessto192 = $accessto192  mssexceeded = $mssexceeded \n";
print "other = $other\n";

That program eliminated the commonest logs. For example, more than half of the logs are telling me about an attempt to telnet to one of my servers. Which is not going to happen, but they wouldn't be doing it unless it works sometimes, so there most be a lot of unsecured things on the internet that you can telnet to. I'd guess that a lot of them are light bulbs or other stupid things that the vendor likes to claim "you can control it with your smartphone" and hasn't bothered with any silly security stuff. I mean, if your light bulb gets hacked, so what? Well, "so what" is that it can be used as part of a bot net, sending out spam of doing DDOS (distributed denial of service) attacks.


It got the 1/3 million logs down to under 1000, and I could actually check those, and in doing so, I did find some minor misconfigurations of my network.

- some of my servers were using the wrong place to get their daily time check
- some of my servers were being advertised as mail servers, but the firewall wasn't allowing inbound email - that's because it will *all* be spam, I'll explain why later
- one of the rules in my firewall was in the wrong place, after the "deny everything else" rule, and, obviously, there's no point in having a rule after that. So I moved the rule to where it should have been.

So, minor stuff (if there had been anything major, I'd have noticed it before). But it's nice to have everything hunky-dory.

Now, about that spam.

If you do "dig mx" then you'll see in the answer section:        3600    IN    MX    5        3600    IN    MX    2

Or you might see:        3600    IN    MX    2        3600    IN    MX    5

What a mail sender is supposed to do, is choose the lowest-numbered server (in this case, and send the mail to there. If that server isn't responding, then you go to the second highest, in this case And you can have any number of these. Google has five.

But spammers don't care about the ranking, they just send the spam to the first on the list. So, if you have a list of ten mail servers, everything that goes to the ones that aren't the lowest numbered one, is spam!

Isn't that handy?

So for most of my email, I run a dozen mail servers. Anything that isn't sent to the first two, is 100% spam. It's a nice way to sort it out. And, of course, most of those servers can be fictitious.

No comments:

Post a Comment