Back to the CR-LABS Open Source main page

NoNox Intrusion Detection and Response, version 1.17a of Nov. 12, 2007


New stuff!
We now have a startup/shutdown script courtesy of Matt Mankins... and the whole set of source, scripts and docs has been packed into a tar file to simplify download and distribution. To distinguish this from the previous release, it's been labeled version 1.17a.
Summary
NoNox watches log files for events such as "failed password". When such a pattern is seen several times within a specified time period (for example, 4 failed login attempts within 10 minutes) from the same source, NoNox can execute a command to mitigate the behavior, notify someone, or make a record of the event (or all these things). The patterns, time limits, files to monitor, and commands that can be triggered are all user-specified, so NoNox can be used to detect many kinds of events and to respond in a variety of ways. I use NoNox to monitor for password-scanning attacks, and to block attacking hosts at the firewall in real-time. The supplied configuration file shows how to detect repeated failed logins and (if iptables is installed and running) how to add a new rule that instantly blocks a malicious host that's trying to break in.
Software
GZipped Tar file: nonox-1.17a.tgz v1.17a 2007-11-12 (28 KB)
Release notes
 Documentation
NoNox Documentation
Pattern/Action library
License
CC-GNU GPL
This software is licensed under the CC-GNU GPL.
No warranty
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Background
During the past year I've seen dictionary attacks targeted against specific usernames (root, tomcat, other usernames used by daemons) growing in boldness. A few years ago, attackers would hit a server with a couple of passwords in the middle of the night, and then go away... in 2005 that all changed as attackers began trying several thousand username/password combinations in a single attack run, basically showing that they didn't care if their activities were discovered. I attribute this to the rise of botnets because the hosts running the attacks aren't owned by the attackers, and the Internet's lack of a reporting hierarchy makes it nearly impossible to find out who's really at the controls of a compromised computer.

Similar Projects / Why do this?
There are more powerful programs available that can all that NoNox can do plus much more that it never will. Check out the Wikipedia's Linux Attack Detection for more info about them. But with power comes complexity. NoNox is supposed to be simple and quick to install and configure, providing a high benefit (stopping a class of attacks) in exchange for a few minutes of work... it runs in user space requiring no kernel doodahs or compiling or anything else, and it's pretty flexible -- the pattern matching just uses Java's regular expressions engine, and the triggered actions are arbitrary user-provided commands (e.g. a one-line command, or a script).

Purpose
NoNox is intended to help automate the real-time defense of Internet servers against dictionary attacks and recurring events that can be discovered by monitoring new entries to log files.

Simply put, NoNox watches log files for events such as "failed password". When such a pattern is seen several times within a specified time period (for example, 4 failed login attempts within 10 minutes) from the same source, NoNox can execute a command to mitigate the behavior, notify someone, or make a record of the event (or all these things). The patterns, time limits, files to monitor, and commands that can be triggered are all user-specified, so NoNox can be used to detect many kinds of events and to respond in a variety of ways.

Example of a failed-login entry from /var/log/secure:
Nov 27 07:31:05 localhost sshd[31585]: Failed password for invalid user adam from ::ffff:211.114.82.252 port 55889 ssh2

A regular expression that matches this log entry and captures the IP address in its second group is:
(^.*?:\d\d:\d\d)\D.*Failed password.*?from\s::ffff:(\d+?\.\d+?\.\d+?\.\d+).*

In practice, NoNox could follow ("tail") new entries to /var/log/secure, looking for a match of the above line. Should too many failed login attempts originate at one IP address within a few minutes, NoNox could execute a command to add the attacking host to a firewall's "drop" list, instantly cutting off the attacker's access to the machine.

Risks of using NoNox

  • NoNox must run as a user with sufficient rights to read the files that it monitors, and to execute the triggered commands. This may introduce new vulnerabilities that are unacceptable for some systems.
  • NoNox could be compromised via exploitation of a bug in the program, through an outside stimulus that causes the program to respond in an unexpected fashion, or through compromise of the NoNox configuration file that causes NoNox to execute commands not intended by the operator.

    Risks of using any real-time automated intrusion detection+response system
    Detection and responses to possible attacks must be carefully thought out when configuring any software that attempts to stop attacks in real time by changing a running system.

  • Denial of service attacks could be facilitated, allowing an outsider to lock out a legitimate user through carefully crafted, forged messages.
  • If the protective software can disable access to a host, and the configuration file's pattern matching is overbroad, or if the triggered commands carry out overbroad actions (e.g. locking out an account) it's possible that configuration errors could lock out legitimate users or otherwise interfere with a properly-running server.

    Requirements

  • NoNox is a Java application packaged as a JAR file.
  • Java 1.4 or later is required (for Java's Regular Expressions engine).
  • NoNox must run as a user with sufficient rights to execute the user-specified commands, and to read the files that are to be monitored (e.g. it may have to run as root to add rules to a software firewall).
  • To let NoNox detect custom patterns or to tweak its patterns to match the log entries written by your system, you will need to know some basics of Regular Expressions. NoNox has a "test" mode that's useful for debugging pattern matches and for simulating actual operation, without actually executing any commands.

    To-do list

  • Don't launch if the config file is group or world-writeable.
  • Make presently hard-coded parameters (e.g. timing of file and internal garbage collection operations) accessible via the config file so they can be set to other than default values by the user.
  • "Timestamp" report when an action is executed, incorrectly calculate H/M/S for the system timestamp. These calculations should be made over the age from "now" of the oldest timestamp, and those converted to H/M/S as appropriate, and displayed alongside the action's time limit.
  • When re-opening files periodically, it should save a marker at the read-position and advance only to that point when reopening, rather than zooming all the way to EOF, as it is possible that some records will not be seen if they're written between the CLOSE and OPEN (granted, this is a very fast process). Will it work to save the current position, and to seek only that far if the file is at least that large when opening. If the file is smaller, then resume monitoring at EOF... will this work? The best solution is of course to not close and re-open the file. This happens now every 1 hour... maybe it could be scaled back.

    Contact Information

    The author of NoNox is Jim Youll, jim@cr-labs.com
    Challenge/Response, LLC creates security and privacy software to support safe, private e-commerce transactions and to detect and reduce online fraud.