Franco Borgo

Q: log analyzer ?

I have server installed for fun and to learn.

 

Over the year, It was under attack many time.

The problem is that I dont spend a lot of time checking the logs, so it take a long time before I realized it.


Is there a Logs analyzer or something that would alert when there is a problem like an IP trying a password for many hour  ?

Posted on May 7, 2016 7:43 PM

Close

Q: log analyzer ?

  • All replies
  • Helpful answers

  • by MrHoffman,Helpful

    MrHoffman MrHoffman May 8, 2016 8:43 AM in response to Franco Borgo
    Level 6 (15,627 points)
    Mac OS X
    May 8, 2016 8:43 AM in response to Franco Borgo

    AFAIK, there are no integrated log reduction and analysis tools within OS X Server.   There are add-on tools for log analysis.

     

    Though OS X Server does have some firewall capabilities in this area via pfctl.

     

    Botnets easily bypass the usual sorts of reactive processing, however — one single test from each of a zillion hosts works as well as a zillion tests from one host, and is a whole lot harder to block.   Which usually means setting up an external firewall and/or VPN services, and reducing the numbers of ports exposed.

     

    Switch to certificates where you can, and learn about what can make for effective passwords.

  • by Franco Borgo,

    Franco Borgo Franco Borgo May 8, 2016 9:08 AM in response to MrHoffman
    Level 1 (65 points)
    Mac OS X
    May 8, 2016 9:08 AM in response to MrHoffman

    The problem is that he mini get overloaded and my internet connection become slow, but because I am on a bad DSL line, it happen often. After a few days, then I realized it cannot be the line, so only then i started to check the log.

     

    you talk about certificate

    I read for SSH to use Public/private key instead of password, but can it be done also with certificate

     

    Are here Add-on for log analysis at low price :-)

     

    This is another question that I  might ask soon in another thread.

    I would like to learn about firewall when you knock on some port in a precise sequence to tell the firewall to open the port

    and

    it there a way to tell the firewall to open a port if the access come from a particular IP.

  • by MrHoffman,Helpful

    MrHoffman MrHoffman May 8, 2016 9:23 AM in response to Franco Borgo
    Level 6 (15,627 points)
    Mac OS X
    May 8, 2016 9:23 AM in response to Franco Borgo

    If your DSL link is getting overloaded with inbound traffic into your network, then there's unfortunately nothing you can do about that.   That's upstream of anything your Mac can manage, maintain or firewall.

     

    If you're on a dynamic IP address as is typical, see if you can re-acquire and change your IP address at your DSL modem.  If you're on a static IP address and your DSL is getting flooded, that's problematic and any firewalling here necessarily involves your ISP.

     

    It's possible that your Mac is vulnerable or compromised in some way, and the traffic associated with the compromise is the issue here.   There are various so-called reflection attacks, where smaller amounts of inbound traffic trigger much larger volumes of outbound traffic from your server.   This can drown your bandwidth, as the attackers will flood your inbound and your server will flood your outbound.    These reflection attacks can happen with various protocols including NTP and DNS — none of the associated ports should be open to the Internet from your server.

     

    Servers directly on the internet — if they're not maintained and secured — are a playground for attackers.  This means applying software updates, and carefully limiting the open ports on the server or on the local network firewall either in the DSL modem or a separate device located between the DSL modem and the server.

     

    If the server is breached, all bets are off.  There's no reliable means to decontaminate a compromised server short of wiping and installing from known-good distribution kits.   Do not carry over any applications or tools over from the existing configuration, if the server has been compromised.

  • by Franco Borgo,

    Franco Borgo Franco Borgo May 8, 2016 9:27 AM in response to MrHoffman
    Level 1 (65 points)
    Mac OS X
    May 8, 2016 9:27 AM in response to MrHoffman

    thank you for an impressively fast response (a lot better than me versus my firewall log :-)

     

    When I see the attack, I close all port, then after a while, the attack stop.

     

    Every few days, my IP does change but Forcing an IP change does not always works with my provider and then I have to wait.

     

    The problem is alway the delay from the beginning of the attack and my reaction :-)

    that is why I was looking for an Alert from the firewall.

  • by MrHoffman,

    MrHoffman MrHoffman May 8, 2016 9:42 AM in response to Franco Borgo
    Level 6 (15,627 points)
    Mac OS X
    May 8, 2016 9:42 AM in response to Franco Borgo

    I'd start closing ports, in general.  You're not going to succeed with closing ports and then re-opening them later, if there's something misconfigured or wrong or vulnerable with the services behind those ports.   It's possible for a single server to scan all of IPv4 address space in a few minutes or less, looking for open ports.  The botnets can scan much faster than that.

     

    Which ports are being targeted?

     

    Which ports do you absolutely need open?

     

    Which ports can you re-locate — such as ssh — or otherwise protect — via VPN or outboard firewall, to reduce the log chatter?

  • by Franco Borgo,

    Franco Borgo Franco Borgo May 8, 2016 10:17 AM in response to MrHoffman
    Level 1 (65 points)
    Mac OS X
    May 8, 2016 10:17 AM in response to MrHoffman

    oups, it seems important log dont have more than 7 days worth of history.

    I dont remember which service were the target of attack, but I remember is was not screen sharing or ssh.

    I dont use mail server. Might have been 548,

     

    I keep Open port to a minimum.  and I only open port when needed but some are open often.

    i do redirect some of the port to force a larger scan but with time, every open port will be found.

     

    that why I was looking into the knock function of firewall, knock on port in a special sequence, and this will indicate to the firewall to open another port. 

    which is a little bit better than to remote admin the firewall (from what I understand)

  • by MrHoffman,Solvedanswer

    MrHoffman MrHoffman May 8, 2016 10:34 AM in response to Franco Borgo
    Level 6 (15,627 points)
    Mac OS X
    May 8, 2016 10:34 AM in response to Franco Borgo

    If you have AFP TCP port 548 open, close it.

     

    You're referring to port knocking.   That works.   You'll have to install and configure that.

     

    A commercial or open-source firewall running on some old spare box can work as well or better — particularly given an explicit login on the firewall to change settings is then required, where an accidental or unintentional software change or a software bug on the server can open up a port or a vulnerability.

     

    Various mid-grade firewalls can include an embedded VPN server which often allows a whole host of "private" ports to be closed, and can include a DMZ capability which allows a breached server to be isolated.   The VPN server avoids the need for port knocking and other details, making the remote system appear as if it were connected to the "private" LAN.

     

    OS X Server does include a VPN server, and any competent network firewall device can be configured for VPN pass-through.

  • by Franco Borgo,

    Franco Borgo Franco Borgo May 8, 2016 10:43 AM in response to MrHoffman
    Level 1 (65 points)
    Mac OS X
    May 8, 2016 10:43 AM in response to MrHoffman

    I idid go VPN for a while but  many places i go, block all outgoing connection on most port. so i can't connect directly.  I dont want to discuss here the solution that I used but I am sure you know exactly, and more that me, the kind of problem I have with some of those possible solution. I know i did not tried all of them but like I said I am learning :-)

  • by Franco Borgo,

    Franco Borgo Franco Borgo May 8, 2016 11:38 AM in response to MrHoffman
    Level 1 (65 points)
    Mac OS X
    May 8, 2016 11:38 AM in response to MrHoffman

    to access file without 548,how do I do ?

  • by MrHoffman,

    MrHoffman MrHoffman May 8, 2016 1:16 PM in response to Franco Borgo
    Level 6 (15,627 points)
    Mac OS X
    May 8, 2016 1:16 PM in response to Franco Borgo

    Franco Borgo wrote:

     

    to access file without 548,how do I do ?

     

    There are a number of services that OS X Server offers are not services that I'm willing to openly expose — that includes AFP (TCP 548), DNS, FTP, telnet, SMB, NTP, DHCP, etc.

     

    I use certificate-based sftp, or an L2TP/IPsec or SSL VPN for file transfers and related services.   To a firewall-based VPN server, most usually.

     

    Some alternatives for a block-oriented file service include WebDAV via https, though that's a little more complex to set up.

     

    If the sites that you are attempting access your server from block all outgoing connections — including outbound VPN access — then that's often an indication of site-specific security policies in place that block the access you're attempting.    Check with the site-local IT folks and see what they recommend.

     

    Based on your comments here, your server is being heavily attacked, which can mean it's misconfigured, or it's exposing "interesting" or potentially vulnerable services — or actually vulnerable services.