This utility reads the IP Filter log file created by ipmon as a tailed file. It will then analyze the incoming data packets, and recognize port scans by making a table of IP addresses and connection attempts to blocked ports. A threshold is set for the number of failed connection attempts. After the threshold is reached, action can be taken, such as email the admin, dynamically enter the ip address into the firewall rules as a block rule, or other functions you may end up writing.
o File::Tail available at CPAN. o IP Filter and ipmon. o ipmon running with hostname resolution disabled.
Edit the source to fit your environment, specifically the constants. You'll need to tell MOAN what is your IP Filter rules file, ipmon log file, network interface, your ipf, and things like that. Also, you'll need to run ipmon with hostname resolution turned off. You can run another ipmon with hostname resolution turned on, and logging to another log file, if you need it.
Edit the line in the script that says 'my @SAFE_IP = qw ()' to include your localhost, local interface IP addresses, DNS servers, and gateway. You can also use strings as such: '10.' or '172.16.' or '192.168.1.' or '127.' The function simply matches the beginnings of the strings.
You'll need to run IP Filter and ipmon. IP Filter shouldhave block rules with logging enabled. I run it on FreeBSD with the following in /etc/rc.conf:
ipfilter_enable="YES" ipfs_enable="YES" ipmon_enable="YES" ipmon_flags="-Dvp /var/log/ipmon.log"
Then, run MOAN from the command line or a startup script:
./moan.pl
or to run as a daemon:
./moan.pl -D
You can include your email address as such:
./moan -D -e you@your.domain
If you hard code the email address into the script, don't forget to escape the '@' (Example: you\@your.domain).
Also, you can dump the port scan table by doing a kill -USR1 to the process ID.
MOAN relies on IP Filter and ipmon to log and block. Create block and log rules in the rules file for IP Filter. After an IP has been entered in a block rule, it's not so necessary to log the connection attempts, so the block rule doesn't contain a log. After an IP is blocked, it won't be noticed by the log rules anymore, and won't be processed anymore.
0.1 - Works with IP Filter and ipmon.
0.2 - Patch to untaint input data; Updated documentation; Added safe IP list.
0.2.1 - Small maintenance; STDERR to MOAN log file.
0.3 - Rewrote some functions; Untainted gethostbyaddr for Email function.
0.4 - Added CleanHostname function; Utilizing @SAFE_IP list to process an IP only once.
0.5 - Fixed main routine to be more modular; Cleaned up output; Added IP string matching.
0.6 - Added routine to dump port scan table to STDOUT after a kill -USR1.
o Investigate methods of flushing the buffer. o Incorporate a function to tail tcpdump.
o Because of buffering, an IP may be processed more than once, although there is a check when writing a new block rule, so the line won't be written twice in the rules file.