An Experiment in Python Scripting and Log Analysis

Alt text

I’ve created this simple Python script, in an attempt to dive in and learn a little about the language while creating a useful tool to help with log analysis. This script preforms WHOIS queries on IP address found in a log file, then extract the registered country found in the returned information. Lip2cc.py (Logged IP to Country Code), as I call it, is an extremely simple start to what I have envisioned.

Currently all IP address are required to be pulled out of a log file (say access or secure log) with some bash fu and stored in a separate text file. Eventually I will work this function into the script so all that is required is the systems log file. Below is a simple bash script to find all IP addresses attempting to log into the system.

# cat secure*| cut -d" " -f11 | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |egrep -v "\<Bye\>" | egrep -v [a-z2\!]$ |sort -u > ips.txt

Bonus list all usernames attempting logins:

# cat /var/log/secure* | cut -d" " -f8,9 | egrep '\<^user\>'|sed s/user/user:/ |sort -u

I’m sure this is not the first IP to country code look-up tool, and it is definitely not the first Python script which quires WHOIS data, but it was an excellent Python learning experience.

Lip2cc.py takes one command line argument, -f (–file). This is required and should be a newline-delimitated file of IP address. I open the file and read in every line into a Python list, which allows me to easily loop through and lookup every IP given. I start by querying whois.iana.org looking for which regional registry the selected IP resides in. From there I am able to extract the correct URL needed to perform a WHOIS lookup. A second WHOIS query is done against the regional registry. I locate and extract the country field then print it to the screen.

The online Python documentation, Beginning Python by Magnus Lie Hetland and inspiration from some previously created whois.py scripts were valuable resources. This was a great to be able to explore many interesting aspects of Python functions, network sockets, text parsing, arg passing and regular expression searching. All in all, not to bad for my first jump into Python.

Download lip2cc.py

More »


PHPVirtualBox on Headless Vbox Server

Alt text

Update: This was an older post which was recreated after server rebuild. All steps haven't fully been tested with the latest environment but you should find the information you need to get you going in the right direction.

I prefer to run VirtualBox on a headless (no GUI) Linux server which allow more hardware resources to be dedicated to virtual machines instead of the pretty window manager. Setting up phpvirutalbox to manage a headless VirtualBox 4.2 server is a simple process that will allow you to easily manage and administer virtual machines from a web browser.

My environment: CentOS 5.5 x64, VirtualBox 4.2, php 5.2.10 and httpd 2.2.8 (apache2)

1) Download and install ViritualBox for Linux Hosts http://www.virtualbox.org/wiki/Linux_Downloads note: you could also install/configure the VBox repositories for Debain or RHEL based system

2) Download and install VirtualBox 4.0.4 Oracle VM VirtualBox Extension Pack which is needed for USB support and console access.

# VBoxManage extpack install FILE

3) Configure VirtualBox environment

4) Install apache and php using your distros package manager # yum install httpd php

5) Download phpViritualBox wget http://code.google.com/p/phpvirtualbox/downloads/detail?name=phpvirtualbox-4.0-4b.zip&can=2&q=

6) Extract the the zip file and copy to the webserver’s root directory # unzip phpvirtualbox-4-2.zip # cp –r phpvirtualbox-4-2 /var/www/html/phpvirtualbox

7) Set the correct permissions to the phpvirtualbox directory so apache can read from the web directory # chown apache:apache -R /var/www/html/phpvirtualbox

8) Edit phpvirtualbox/config.php Add your vbox user, password, location, and disable authentication (for now)

var $username = 'vbox';
var $password = 'vboxpass';
var $location = 'http://127.0.0.1:18083/phpvirtualbox'
var $noAuth = true;

9) Run the following command with the IP of your server # su vbox -c "/usr/bin/vboxwebsrv -b -H 127.0.0.1 --logfile /dev/null >/dev/null

Be sure Apache has been started (service httpd start).

10) Add the command above with your server IP to /etc/rc.local This will allow Viritualbox and it's web interface to run at startup.

11) Navigate to http://SERVER-IP/phpvirtualbox

More »


Windows 2008 Advanced Firewall with Honeyports

Windows 2008 has a fantastically good firewall, as long as you configure it properly. A honeyport is a listening port with no operational service that will log specific information about a connection that is made to it.  The idea is that only a port scanner will find this port and an attacker will further investigate. As defenders, we can use firewalls and honey ports in combination, as demonstrated by John Strand's (@strandjs) tech segment on Pauldotcom.com Security Weekly episode 203, to block potential attacks.

I've made very slight modifications to Strand's original script, including a "log" output to better track when port scans happen. I've also included a minimal Windows 2008 server firewall policy with web, file sharing and active directory ports open.  It has been packaged up with nc for windows and a few scripts to make things easy to run.  A couple caveats, you will need to modify some of the IP address within the rules to match your system. This can be done by navigating to the rule properties and selecting the Scope tab. Next you will need to change the default rule to block all incoming and outgoing.  Navigate to the properties Windows Firewall with Advanced Security.  In the State section you will see Inbound connections and Outbound connections. Both should be set to Block. Lastly, this could be used to create a denial of service condition where the attacker spoofs a legitimate IP, this is for learning purposes only and should not be used on production systems.

Now you may extract the contents of Win2k8-Honeyport.zip to C: and run import_fw.cmd to configure the new firewall rules. Launch run_honeyport.cmd to start monitoring for port scans and blocking potentially malicious connections. Scan you system with nmap (nmap -sS -sV -v -PN -A )

A Windows 2003 version using wipfw is in the works. Download the Win2k8-Honeyport.zip.

Ref: (http://pauldotcom.com/wiki/index.php/Episode203#Tech_Segment:__Windows_HoneyPorts)

Ref: (http://www.securityfocus.com/tools/139)

More »