May 14, 2010

Strangers Knocking at the Door

Posted in Uncategorized at 12:30 pm by dgcombs

Using Cisco’s implementation TACACS to authenticate network engineers and support folks gives us a number of security options. First, we can separate those that need real configuration access from those who only need to see how things are working. Second, within each group, TACACS lets you specify what commands are permitted and which are completely verboten. Third and most interesting, it lets you see when someone’s login is failing.

Most us with a userid and password have accidentally typed in the wrong password once in a while. And occasionally, the cryptic character combination that the IT folks divined to uniquely identify me gets some dyslexic treatment. But when the number of failed logins reaches into the hundreds an hour, there’s something wrong.

To figure out what, I pressed a couple of old friends into service. I configured my TACACS servers to forward any log messages about failed login attempts to a my firewall log server. Then I installed Tenshi. Tenshi watches log files and collects them into little groups. Based on the configuration, it can send out a regular email with the collected logs or if it’s important, it can send an email out immediately. I watched with amusement for a few days as I could tell which of the engineers were missing characters from their userid or had their caps lock turned on by mistake.

Then late on a Sunday, I started seeing a lot of errors. They were from userid’s I didn’t recognize. And they were coming from Langfang University in Hebei, China. Oh, to be a college student again! This is when I hoisted out the big guns, SWATCH.

SWATCH started life as a simple watchdog. It watches the same syslog entries that Tenshi does, but when it finds something defined in the configuration file, it can fire off another script. I used this feature to execute a Python script to parse the information in the log message and insert it into a MongoDB database. Now I could both keep my eye on the what was happening with Tenshi as well as measure what was going on with Swatch!

Swatch, unlike Tenshi, doesn’t come with a default configuration. You are on your own! I opted for a relatively simple configuration file for my needs. I only wanted it to do something when a failed login happened. And I wanted the whole message to be sent to my Python program.

watchfor /CisACS_02_FailedAuth/

        exec “/usr/local/metrics/swatch.py $_”

The “$_” portion sends the whole log line. According to the Swatch MANual Page, you can send just certain sections of the message to your script, but that didn’t seem to work.

In Python, I parsed the message, looking for three things, where the login attempt was coming from (this would be our bored college student looking for something to fill his day), what system he was trying to access and the userid he was trying to use. Of course, having used PERL before, my first instinct was to use a regular expression to extract these bits of information. I was warned against this by some older-wiser-Python programmers. They suggested I simply use the string methods. What do you know! That worked quite well.

        for a in args:

                if(a.find(‘User-Name=’) != -1):

                        a=a.replace(‘User-Name=’,”)

                        thisUser = a

                        # don’t break but look for NAS

                if(a.find(‘Caller-ID=’) != -1):

                        a=a.replace(‘Caller-ID=’,”)

                        thisCaller = a

                        break

                if(a.find(‘NAS-IP-Address’) != -1):

                        a=a.replace(‘NAS-IP-Address=’,”)

                        thisNAS = a

                        break

After inserting this information in the MongoDB data base, I started running a few reports and came up with a cross connection. One of our engineers had been working on the network attached system on Saturday. I gave him a call. “Not me! Nope. I had nothing to do with it.” was his response. When I printed out the reports and showed him the evidence, he took another look. “Oh, that IP address!” Turns out he’d been troubleshooting the system on Saturday and forgotten to reload the access control list that would have properly blocked access and left our bored college student with nothing to do over the weekend but study.

Posted via web from Meyeview

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: