mnwclient(1) mnwclient(1) NAME mnwclient - a Perl client for myNetWatchman SYNOPSIS mnwclient [-c resource_file] [-l kernel_log_file] [-e errors_log_file] [-i interface] DESCRIPTION mnwclient is a Perl client for myNetWatchman.com written totally in Perl. This script is designed to capture rejected packet information from various firewall logs and forward this attack information to http://www.mynetwatch- man.com, who collects and collates attack data from regis- tered "agents" and reports this to the respective IP's owner. myNetWatchman also provides various statistical data that is aggregated from the pool of agents, e.g. a "top ten list". mnwclient runs as a daemon and is configurable via filter rules. STARTING MNWCLIENT On SysV Init systems such as Redhat: /etc/rc.d/init.d/mnwclient [start|stop|restart|status] On other UNIX variants, execute install.sh to install the components into the necessary directories, and then add to your rc.local file: /usr/sbin/mnwclient & OPTIONS -c resource_file Specifies the configuration file that mnwclient will use. If this parameter is not specified, the default file, /etc/mnwclient.rc, will be used. -l kernel_log_file The log file to which the firewall logs rejected packet data. If not specified, the default loca- tion is /var/log/messages. -e errors_log_file The log file to which mnwclient logs error and success messages. If not specified, the default location is /var/log/mnwclient.log. -i interface Interface that is logged. If not specified, the default is ppp0. $Date: 2001/12/22 21:42:54 $ 1 mnwclient(1) mnwclient(1) CONFIGURATION FILE There is only a few sets of directives that are under- stood, they are as follows: log [,,...] errors server port proxy : login password interface chain [,,...] gmt retry interval dqinterval backoff maxbackoff fwdb fwignore
netmask addfw delfw addfwint delfwint usesql [ ] debug [] quiet test filter { ... } Directives: log Full pathname where the system logfile is located, you may specify multiple log sources by using the comma as a delimiter. (default: /var/log/messages) errors Full pathname where to log client errors. (default: /var/log/mnwclient.log) server Web server to contact to send HTTP data. (default: www.mynetwatchman.com) port TCP port of web server. (default: 80) proxy If you are using a proxy server then specify it in the format of server:port. (ex: fcs00mia.mia.bell- south.net:8080) login Your myNetWatchman login (required). $Date: 2001/12/22 21:42:54 $ 2 mnwclient(1) mnwclient(1) password Your myNetWatchman password (required). interface Interface to capture data and forward attack infor- mation. This is normally your Internet bound interface (WAN), ppp0, eth0, etc. (default: ppp0) chain Name of chain (in ipchains and others) that is your input rulesets. This is normally the input rule- set. This would be the log prefix for iptables. You may specify multiple chains by delimiting them with commas, this is useful for the IOS format which may have multiple input rulesets. (default: input) gmt Correction offset in hours if GMT is not properly calculated. This shouldn't be necessary, but may be needed in some cases. retry Attempts to submit report before giving up. This only applies toward HTTP errors reported, socket errors are retried until successful. interval Seconds between scans of firewall logfile. (default: 60 seconds) dqinterval This is the dequeue interval. It is the seconds between uploads, or dequeues to server. (default: 1 second) backoff Back off factor, starts multiplying dqinterval by this value until it reaches a maximum backoff value. Upon a successful upload the 'backed off' value resets to the dequeue interval. (default: 3) maxbackoff Maximum backoff value in seconds, the dequeue interval will never exceed this amount when it is 'backed off'. (default: 600 seconds) fwdb Location and filename to store the firewall database. (default: /etc/mnwclient) fwignore/netmask Allows you to add entries that will not be allowed to inserted into the firewall, you may specify this directive multiple times. addfw Command to be executed when an entry is to be added to the firewall. Use $SOURCE$ in command, this $Date: 2001/12/22 21:42:54 $ 3 mnwclient(1) mnwclient(1) variable will be replaced by the attacker address that is downloaded. delfw Command to be executed when an entry is to be deleted from the firewall. Use $SOURCE$ in com- mand. addfwint Interval in seconds when to refresh the attacker list. delfwint Interval in seconds to expire old attackers. usesql Invokes usage of SQL database insert code. Current valid parameters are pgsql, mysql, msql, and ora- cle. Only pgsql and mysql has been tested. Addi- tional parameters may be the name of the database, followed by the database login, and the database password. Please see the contrib directory to see what the database table is. debug If present, enables debugging output for actual web transaction. You may specify different levels of debugging information. quiet If present, quiets warning messages. test Simulates everything, but doesn't actually do any uploading. filter Filter rulesets, see 'Filter' directive below. Filter Directive: The filter directive contains a subset of directives that are only allowed inside this directive. This directive will allow you to filter out the information from the log file. If you didn't want to report icmp that are of port 0, this is where you would do it. You must specify this directive as follows: filter { . . . } The directives that are allowed between the braces are as follows: source
netmask target
netmask $Date: 2001/12/22 21:42:54 $ 4 mnwclient(1) mnwclient(1) target
netmask xchg
port (deprecated, use target port) port proto (deprecated, use target port) source port source port proto target port target port proto proto source/netmask Both must be specified, in the given format, basi- cally you specify a source address and then a net- mask, it must be specified in 4 parts, seperated by decimals. The normal format. target/netmask Both must be specified, in the given format, basi- cally you specify a target address and then a net- mask, it must be specified in 4 parts, seperated by decimals. The normal format. target/netmask/xchg All parameters must be specified, in the given for- mat, basically you specify a target address, a net- mask, and then an address to exchange it with, addresses must be specified in 4 parts, seperated by decimals. This will allow you to report a dif- ferent target address than the actual one that was hit, this should only be used for cases where the firewall incorrectly reports the target address. port Still works, but deprecated. See target port. port/proto Still works, but deprecated. See target port/proto. source port Source port number that is filtered. source port/proto Source port and protocol that is filtered. target port Target port number that is filtered. target port/proto Target port and protocol that is filtered. proto Protocol that is filtered. SAMPLE CONFIGURATION One possible mnwclient.rc: $Date: 2001/12/22 21:42:54 $ 5 mnwclient(1) mnwclient(1) log /var/adm/log/syslog login bob@null.net password sekret interface slip0 filter { source 10.0.0.0 netmask 255.0.0.0 source 211.0.0.0 netmask 255.0.0.0 source 192.168.0.0 netmask 255.255.0.0 target 192.168.0.0 netmask 255.255.0.0 target 10.0.0.0 netmask 255.0.0.0 source port 25 proto tcp target port 137 target port 21 proto tcp target port 113 proto tcp proto icmp } ENVIRONMENT VARIABLES TZ Used to compute times relative to Coordinated Uni- versal Time (UTC), formerly known as GMT. You may need to set this variable according to your local time zone if you find that you are reporting times- tamps incorrectly. Alternatively you may used the 'gmt' directive to offset the timestamps. FILES /usr/sbin/mnwclient /etc/mnwclient.rc /etc/rc.d/init.d/mnwclient SIGNALS TERM Causes the client to exit and save firewall attack lists. HUP Causes the client to exit and unload firewall list from the firewall. SUPPORTED FIREWALL LOGS ipchains Linux 2.2.x kernel firewall iptables Linux 2.4.x kernel firewall ipfw FreeBSD kernel firewall ipfilter NetBSD ipfilter firewall. Requires ipmon to be running, you must add to your /etc/rc.conf file the following line: ipmon=YES ipmon_flags="-s" $Date: 2001/12/22 21:42:54 $ 6 mnwclient(1) mnwclient(1) PortSentry Psionic PortSentry port scanner, works in conjunc- tion with various UNIX firewalls, such as ipchains and ipfw. Sonic Wall Sonic Wall, hardware firewall (and more?). These are pretty much fully supported, but need more sam- ple logs with m=32 (attacks). Cisco IOS Cisco IOS format, reported via syslog. Zyxel Prestige 331144/Netgear RT331144 Zyxel/Netgear log format, reported via syslog. Netgear is apparently a Zyxel but branded with Net- gear's name. This format should also include the 311-314 series for both brand names. Cisco Secure PIX Firewall Logging format used by Cisco Secure PIX firewalls via syslog. Snort CSV log format Supports Snort IDS by using the CSV logging plugin, with the following parameters: # csv: logs packets in csv format # ------------------------------- # Arguments are output filename, followed by field names # output csv: /var/log/snort/alert.csv proto,timestamp,src,srcport,dst,dstport,icmptype,icmpcode Modified Snort CSV log format This format supports a modified CSV logging plugin, which requires a patch and recompile of the snort package. After rebuilding and installing the modi- fied snort then you should use the CSV logging plu- gin with the following parameters: # csv: logs packets in csv format # ------------------------------- # Arguments are output filename, followed by field names # output csv: /var/log/snort/alert.csv proto,timestamp,src,srcport,dst,dstport,icmptype,icmpcode,sig_generator,sig_id,sig_rev,ref_system,ref_id The patches are available at http://glycerine.dyn- dns.org/linux/snort SEE ALSO IPCHAINS(8), IP firewall administration $Date: 2001/12/22 21:42:54 $ 7 mnwclient(1) mnwclient(1) BUGS Some users may experience a hang in the client where it will no longer upload attack data, this is caused by a buggy IO module for Perl, it is recommended that you update your IO module to 1.20 or later. You can get the latest version from CPAN, goto http://www.cpan.org/mod- ules/by-module/IO and download the latest IO package. It should be named IO-1.20.tar.gz. If you happen to discover a bug then please run the client with the following command: export PERLDB_OPTS="nonstop autotrace frame=2 lineinfo=mnwclient.debug"; perl -d mnwclient & And send the client revision, mnwclient.debug file, and any log files it was parsing when the client died to the author. The above command will generate a log file named mnwclient.debug in your current working directory, period- ically monitor the size of this file as it will grow very fast. If the bug hasn't occurred during the time frame captured by the debug log you may 'cp /dev/null mnwclient.debug' to null it out. NOTES If you need more information on firewalls and using ipchains then refer to http://www.linux- doc.org/HOWTO/IPCHAINS-HOWTO.html, or various on-line ref- erences. myNetWatchman is designed for those with full-time Inter- net connections, such as cable modem or DSL. It is also necessary that all significant unwanted connection attempts be logged. See http://www.mynetwatchman.com for requirements, registration, and other details. AUTHOR Chad Wagner $Date: 2001/12/22 21:42:54 $ 8