• how to get the IP and the host name on the same log line

    From mark lewis@VERT to all on Thursday, June 20, 2019 23:01:18
    a domain hosted in the cloud somewhere has been scanning my system... pretty aggressively at times... they're a known infosec related domain but no one that
    knows anything can/will confirm who the domain is and what their scans are for... supposedly they are good but we can't really tell by the available information...

    so, what i've done, since i don't care to play their game, was to whip up a little script that grabbed all the log lines with that questionable domain in them... because we want to block them in the perimeter firewall, we need to know the IP of the scanner instances... apparently these scanner instances spin
    up and down as necessary so grabbing the domain names and looking them up later
    returns NXDOMAIN which means that idea won't work...

    i noted that in the logs there were lines like

    term Node 1 Telnet c87-118-38-247.dataguard.no [87.118.38.247]

    so the idea now is to search out

    .*badactor.invalid \[.*\]

    and then cut the IP out of the [] so they can be sorted and run through uniq and then added to my firewall rules...

    to do this i've modified my sbbs source code for the files containing "Hostname:" since that seems to be consistent and it makes the searching easier...

    these files and lines were easily adjusted like so


    ftpsrvr.c:3099: lprintf(LOG_INFO,"%04d Hostname: %s [%s]", sock, host_name, host_ip);

    mailsrvr.c:1005: lprintf(LOG_INFO,"%04d %s Hostname: %s [%s]", socket, client.protocol, host_name, host_ip);

    mailsrvr.c:2922: lprintf(LOG_INFO,"%04d %s Hostname: %s [%s]", socket, client.protocol, host_name, host_ip);

    main.cpp:5697: lprintf(LOG_INFO,"%04d %s Hostname: %s [%s]", client_socket, client.protocol, host_name, host_ip);


    but these ones are not so easily adjusted in the same manner...


    services.c:1010: lprintf(LOG_INFO,"%04d %s Hostname: %s"

    services.c:1391: lprintf(LOG_INFO,"%04d %s Hostname: %s"

    userdat.c:2800: fprintf(fp,"; Hostname: %s\n",host);

    websrvr.c:6299: lprintf(LOG_INFO,"%04d Hostname: %s", session.socket, host_name[0] ? host_name : STR_NO_HOSTNAME);


    i'm not worried about userdat but would like to get services.c and websrvr.c to
    use the "Hostname: domain [IP]" format... i tried adding " [%s]" and "host_ip" as i did in the ftpsrvr.c, mailsrvr.c, and main.cpp files listed above but of course the compiler complains that host_ip is not valid...

    so my question is how can i get the IP output in "Hostname: badactor.invalid [www.xxx.yyy.zzz]" format in the three log lines in services.c and websrvr.c?

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Better to live with one spider than many bugs.
    ---
    * Origin: (1:3634/12.73)
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Digital Man@VERT to mark lewis on Thursday, June 20, 2019 20:55:12
    Re: how to get the IP and the host name on the same log line
    By: mark lewis to all on Thu Jun 20 2019 04:01 pm

    i'm not worried about userdat but would like to get services.c and websrvr.c to use the "Hostname: domain [IP]" format... i tried adding " [%s]" and "host_ip" as i did in the ftpsrvr.c, mailsrvr.c, and main.cpp files listed above but of course the compiler complains that host_ip is not valid...

    so my question is how can i get the IP output in "Hostname: badactor.invalid [www.xxx.yyy.zzz]" format in the three log lines in services.c and websrvr.c?

    The variable 'host_ip' was just not valid in those contexts.

    The key is to look for where the IP address is actually used/logged (in text form) before or after the code where you want to use it. In websrvr.c, I saw the use of 'session.host_ip' (in a SAFECOPY operation, so I know it's a string) - so I just used that variable instead of 'host_ip'.

    In services.c, it was a little more complicated because we used a function (inet_addrtop) to convert the IP address from binary to text and store the result in 'client.addr', but that was done *after* the line you wanted to modify. So I just moved that initialization of client.addr to *before* the block of code you wanted to modify and then use 'client.addr' where you were wanting to use 'host_ip'.

    digital man

    Synchronet/BBS Terminology Definition #56:
    REP = QWK Reply
    Norco, CA WX: 68.7F, 75.0% humidity, 10 mph E wind, 0.00 inches rain/24hrs

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From mark lewis@VERT to Digital Man on Friday, June 21, 2019 01:05:54
    On 2019 Jun 20 13:55:12, you wrote to me:

    so my question is how can i get the IP output in "Hostname:
    badactor.invalid [www.xxx.yyy.zzz]" format in the three log lines in
    services.c and websrvr.c?

    The variable 'host_ip' was just not valid in those contexts.

    yeah, that's what the compiler told me :)

    The key is to look for where the IP address is actually used/logged
    (in text form) before or after the code where you want to use it.

    that's how i found host_ip where i did use it...

    In websrvr.c, I saw the use of 'session.host_ip' (in a SAFECOPY
    operation, so I know it's a string) - so I just used that variable
    instead of 'host_ip'.

    ahhh... i don't remember if i saw that or not...

    In services.c, it was a little more complicated because we used a
    function (inet_addrtop) to convert the IP address from binary to text
    and store the result in 'client.addr', but that was done *after* the
    line you wanted to modify.

    ahhhh...

    So I just moved that initialization of client.addr to *before* the
    block of code you wanted to modify and then use 'client.addr' where
    you were wanting to use 'host_ip'.

    excellent! thanks for the update, too... this'll enable me to cut out some ugly
    LOC in the scripts i've been using... it should now enable me to grab all of their IPs when they visit... i've caught over 100 of them but they still sneak in with others since my script couldn't easily root them out for the blocklist...

    thanks!

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Life is the variety of spice.
    ---
    * Origin: (1:3634/12.73)
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Digital Man@VERT to mark lewis on Thursday, June 20, 2019 22:16:37
    Re: how to get the IP and the host name on the same log line
    By: mark lewis to Digital Man on Thu Jun 20 2019 06:05 pm

    excellent! thanks for the update, too... this'll enable me to cut out some

    No problem.

    digital man

    This Is Spinal Tap quote #1:
    Nigel Tufnel: These go to eleven.
    Norco, CA WX: 68.8F, 75.0% humidity, 4 mph E wind, 0.00 inches rain/24hrs

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Va7aqd@VERT/VA7AQDS to mark lewis on Friday, June 21, 2019 00:01:51
    Re: how to get the IP and the host name on the same log line
    By: mark lewis to all on Thu Jun 20 2019 04:01 pm

    a domain hosted in the cloud somewhere has been scanning my system... pretty aggressively at times... they're a known infosec
    term Node 1 Telnet c87-118-38-247.dataguard.no [87.118.38.247]

    You may be looking for a broader solution, but why not just block the network in question?

    iptables -I INPUT -s 87.118.32.0/19 -j DROP

    Are they doing this from multiple networks?

    ---
    Synchronet VA7AQD's Tavern - bbs.isurf.ca
  • From mark lewis@VERT to Va7aqd on Friday, June 21, 2019 05:32:20
    On 2019 Jun 20 17:01:50, you wrote to me:

    a domain hosted in the cloud somewhere has been scanning my system...
    pretty aggressively at times... they're a known infosec [...]
    term Node 1 Telnet c87-118-38-247.dataguard.no [87.118.38.247]

    You may be looking for a broader solution, but why not just block the network in question?

    the line given above is not the "bad actor"... it is an example only... plus the "bad actor" is hosted on a cloud network that provides VMs... i don't want to block the whole thing because i know that some other BBS operators are on the same network... that's why i've chosen to grab the IPs and add them to my block list...

    Are they doing this from multiple networks?

    not that i know of... all of the IPs they are using resolve to the bad actor's domain at the time the IP is in use...

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... A garden is the purest of human pleasures. (F. Bacon)
    ---
    * Origin: (1:3634/12.73)
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Va7aqd@VERT/VA7AQDS to mark lewis on Friday, June 21, 2019 16:38:07
    Re: how to get the IP and the host name on the same log line
    By: mark lewis to Va7aqd on Thu Jun 20 2019 10:32 pm

    the line given above is not the "bad actor"... it is an example only... plus the "bad actor" is hosted on a cloud network that
    provides VMs... i don't want to block the whole thing because i know that some other BBS operators are on the same network...
    that's why i've chosen to grab the IPs and add them to my block list...

    Ah, fair enough... most of the blocking I do tends to be "Oh, Russia? China? buh-bye..."

    Were you able to get the log management sorted to your liking?

    ---
    Synchronet VA7AQD's Tavern - bbs.isurf.ca
  • From mark lewis@VERT to Va7aqd on Saturday, June 22, 2019 16:41:52
    On 2019 Jun 21 09:38:06, you wrote to me:

    the line given above is not the "bad actor"... it is an example only...
    plus the "bad actor" is hosted on a cloud network that provides VMs...
    i don't want to block the whole thing because i know that some other
    BBS operators are on the same network... that's why i've chosen to
    grab the IPs and add them to my block list...

    Ah, fair enough... most of the blocking I do tends to be "Oh, Russia? China? buh-bye..."

    yeah, i do that in smaller blocks as needed depending on the attack/probe being
    seen...

    Were you able to get the log management sorted to your liking?

    yup! it is a lot easier now to grab the domain and IP together and split them out...

    sudo zgrep -E -e "^.* sestar sbbs: .*Hostname: .*BADACTORDOMAINHERE.* \
    \[([0-9]{1,3}[\.]){3}[0-9]{1,3}\]" /var/log/syslog* | \
    cut -d "[" -f 2 | cut -d "]" -f 1 | sort -V | uniq

    that'll walk through all your syslogs, live and archived, find the BADACTORDOMAIN matches and then cut out everything except the IPs which come out in a nice sorted list...

    before i was having to use -B1 on the grep line to get the line before the match and then cross my fingers that it was the line with the IP but that was a
    crapshoot since the logging may have lines from other sbbs services mixed and interleaved... this new format means i won't miss any anymore :)

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Happy Holidays and a Wonderful 2009 to you and yours!
    ---
    * Origin: (1:3634/12.73)
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net