[FreeNX-kNX] Logging user traffic I've done my Homework

mir mir at ogrody.gda.pl
Mon Feb 19 18:25:31 UTC 2007 

Hi
For my network I solved connection login for all users. This code works
on debian Etch with installed package ulog-acct and inserted module 
ipt_owner. I install freenx 0.6.0 and I have to do a litle patch to
nxsever file mention below.
Logs looks like:
 
1171908733      6       193.108.228.1   22      83.18.158.51    39202
5       548     "mrk"
1171908733      6       83.18.158.51    39202   193.108.228.1   22
9       596     "mrk"
1171908726      6       83.18.158.51    20168   217.17.45.143   8074
1       60      "mirek"
1171908742      6       217.17.41.88    8074    83.18.158.51    37799
1       52      "input"
1171908742      6       217.17.41.88    8074    83.18.158.51    37799
1       52      "aba"
1171908726      6       217.17.45.143   8074    83.18.158.51    20168
1       52      "input"

Mirek

Code
#!/usr/bin/perl -w
# Program generates IPTABLES rules, which are input for ulog-acct.
# With this rules ulog can make logs connection per user  on host 
# running nxserver. 
# To execute it on host, where eth0 is connected to internet do:
# nx-ulog.pl eth0 
# as a root or user allwed execute iptables and netstat -p
# Program every $nr second execute netstat -entup.  From netstat 
# output it builds up list of opened tcp/udp ports and its owners. 
# From this list program automatically modify (add or remove) 
# IPTABLES rules for INPUT and OUTPUT chain with IPTABLES filter 
# by local port.
# Login this way has delay. First outgoing packets are not logged. 
# If someone wants to log all outgoing traffic for some users there
# is possibility to make list @users0. 
# For this users  IPTABLES Outgoing chain is applied static with 
# IPTABLES filter by owner 
# For connection to nxserver port (default 22) program  assigns user 
# by examinig wtmp database on host greping remote IP:port. And next it 
# add/remove IPTABLES rules for INPUT an OUTPUT chain with IPTABLES 
# filter by remote address and port. 
# For this part of traffic log, you need do a litle patch to nxserver
# to add remote TCP port into wtmp database

# |-$COMMAND_SESSREG -l ":$SESS_DISPLAY" -h $USERIP -a $USER 2>&1 |
log_error
# |+REMOTE_ADR=`echo $SSH_CLIENT $SSH2_CLIENT|cut -d" " -f1,2|sed s/"
"/:/`
# |+$COMMAND_SESSREG -l ":$SESS_DISPLAY" -h "REMOTE_ADR -a $USER 2>&1 |
log_error
   
#              nx-ulog.pl ver 0.0 copyright Mirek Lawniczek Gdansk
02.2007
#	                                    mrk at ogrody.gda.pl


#START
`/etc/init.d/iptables`; #path to host iptables file. Flush and refersh
to beging state all IPTABLES rules
$ENV{PATH} = "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin";
@users0 = ('mirek', 'michal', 'lugin', 'aba', 'jurek', 'darmor',
'pawszt', 'browarek', 'rysiek');
$nr = 2;              # how many second wait beetween running netstat  
$rep = 5;             # how many times check ssh conection by who if not
succed get  user
$nxport = 22;         # port freenx server listen
$nic = pop(@ARGV);
if (not $nic) {$nic = "eth0"}
$IP_NIC = `ifconfig $nic`;
$IP_NIC =~ s/.*inet addr:(.*)  Bcast:/1/;
$IP_NIC = $1;
%otcphash =();   #hash for data of ports and owners for tcp previous
scan
%oudphash =();   #for udp
%ntcphash =();   #temp hash collects records of ports and owners for tcp
%ntcphash =();   #for udp
%nrmthash =();   #tmp hash collects records al remote ip and port
connected to ssh port 
%ormthash =();   #for pevious scan
%tmphash =();    #tmphash records remote connection and ports for which
who not succeded yet.
# before start endless loop write static rules
foreach (@users0) {
 $n_user = getpwnam $_;
 `iptables -A OUTPUT -o $nic  -m owner --uid-owner $n_user -j ULOG
--ulog-nlgroup 1 --ulog-cprange 72 --ulog-qthreshold 50 --ulog-prefix
$_`
}


while (1) { 
@netstat = split ("\n" , `netstat -epntu`); 

foreach (@netstat) {
 if (/$IP_NIC/s) {
  $tcpudp = substr($_,0,3);   
  @loc_adr = split(":" , substr($_,20,21)); #
  $loc_adr[1] =~ tr/ //sd;                  #remove space at tail
  $n_port = $loc_adr[1];
  $n_user = substr($_,79,4);

  if ($n_user >=1000) {
     $n_user = getpwuid $n_user;  
     $MK = grep /$n_user/, @users0; #1 if n_user is member of static
rules list
       $nref = "n" . $tcpudp . "hash";
       $oref = "o" . $tcpudp . "hash";
       $$nref{$n_port} = $n_user;
        if(not exists $$oref{$n_port}) {
          `iptables -A INPUT -i $nic -p $tcpudp --dport $n_port -j ULOG
--ulog-nlgroup 1 --ulog-prefix $n_user`;
          if (not $MK) {
          `iptables -A OUTPUT -o $nic -p $tcpudp --sport $n_port -j ULOG
--ulog-nlgroup 1 --ulog-prefix $n_user`;        
          }
        }
        else { #delete records in otcphash to detect records of closed
connection next
         delete $$oref{$n_port}; 
        }
  }
 ##################
 ################# this part if for generation statistic per user for
ssh port
  if ($n_port == $nxport) {
       @nxstring = split("/", substr ($_,101,14));  
    if ($nxstring[1] eq "sshd: nx") {   #check netstat output if this is
nx connection
       $n_rmtadr = substr($_,44,21);
       $n_rmtadr =~ tr/ //sd;             #remove space at tail    
       @rmt_adr = split(":" , $n_rmtadr); #cut remote addr from netstat
output
       $rmt_ip = $rmt_adr[0];
       $rmt_port = $rmt_adr[1];
     if (not exists $ormthash{$n_rmtadr}) {
      @wtmp = split ("\n", `who --ips`); #execute command who to get nx
user
      foreach (@wtmp) {
           if (/$n_rmtadr/s) {
             @line = split;
             $n_user =$line[0];
             $nrmthash{$n_rmtadr} = $n_user;
             `iptables -A INPUT -i $nic -s $rmt_ip -p tcp --sport
$rmt_port -j ULOG --ulog-nlgroup 1 --ulog-prefix $n_user`;
             `iptables -A OUTPUT -o $nic -d $rmt_ip -p tcp --dport
$rmt_port -j ULOG --ulog-nlgroup 1 --ulog-prefix $n_user`;
             goto SKROT; 
           }
       }    
           if (exists $tmphash{$n_rmtadr}) {
              if ($tmphash{$n_rmtadr} < $rep) {$tmphash{$n_rmtadr} += 1}
              else { 
                   $nrmthash{$n_rmtadr} = "unknown";
                   delete $tmphash{$n_rmtadr};
               }
           }   
           else{ $tmphash{$n_rmtadr} = 1 }
         
      
     }
    else { #delete records in ormthash to findnout records of closed
connection  
         $nrmthash{$n_rmtadr} = $ormthash{$n_rmtadr} ;
         delete $ormthash{$n_rmtadr}; 
    }

  }
  }
 } 
SKROT:
} 
# if there is no conection in netstat we can release iptables rules
    foreach $tmpkey(keys %otcphash)  {
    `iptables -D INPUT -i -$nic -p tcp --dport $tmpkey -j ULOG
--ulog-nlgroup 1 --ulog-prefix $otcphash{$tmpkey}`;
    if (not grep /$otcphash{$tmpkey}/, @users0) {
     `iptables -D OUTPUT -o -$nic -p tcp --sport $tmpkey -j ULOG
--ulog-nlgroup 1 --ulog-prefix $otcphash{$tmpkey}`;
    }
     }
         foreach $tmpkey(keys %oudphash)  {
    `iptables -D INPUT -i -$nic -p udp --dport $tmpkey -j ULOG
--ulog-nlgroup 1 --ulog-prefix $oudphash{$tmpkey}`;
    `iptables -D OUTPUT -o -$nic -p udp --sport $tmpkey -j ULOG
--ulog-nlgroup 1 --ulog-prefix $oudphash{$tmpkey}`;
     }
         foreach $tmpkey(keys %ormthash)  {
    @rmtadr = split (":" , $tmpkey);
      if ($ormthash{$tmpkey} ne "unknown") {
      `iptables -D INPUT -i -$nic -s $rmtadr[0] -p tcp --sport
$rmtadr[1] -j ULOG --ulog-nlgroup 1 --ulog-prefix $ormthash{$tmpkey}`;
      `iptables -D OUTPUT -o -$nic -d $rmtadr[0] -p tcp --dport
$rmtadr[1] -j ULOG --ulog-nlgroup 1 --ulog-prefix $ormthash{$tmpkey}`;
      }
        }     
     %otcphash=%ntcphash;
     %oudphash=%nudphash;
     %ormthash=%nrmthash;     
     %ntcphash=();
     %nudphash=();
     %nrmthash=();
  sleep $nr;
}





On Fri, 2007-02-09 at 17:12 +0100, mir wrote:
> I can log traffic without Mark (Mark probably do not work for OUTPUT
> chain) for example:
> iptables -A OUTPUT -o eth0 -syn -m owner --uid-owner 1000 -j LOG
> --log-prefix -mirek-
> Logs all ACK packets for user id 1000. 
> Similar probably I can log packets with SYN flag. 
> But quality of this tool is not good enough. 
> Maybe someone  has good tools to decode this type of logs to get for
> example number of transfered bytes instead of many logged ack packets.
> 
> Till now I prefer to hack kernel. Host with hacked kernel do not need
> any log. If someone from outside claim, that there was any abuse from my
> host, and He can give me a port on my host  and I can easy decode user
> who made abuse. 
> 
> Mirek
> 
> On Thu, 2007-02-08 at 23:00 +0100, Revellion wrote:
> > Why not use -m owner on the iptables of the freenx host to mark the
> > packages?
> > 
> > like iptables -A OUTPUT -m owner --uid-owner <uid-of-a-user> -j MARK
> > --set-mark 0xblahnumber ?
> > 
> 
> > 
> 
> ________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
>   http://openfacts.berlios.de/index-en.phtml?title=FreeNX_FAQ
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/ 
> 
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
>

More information about the FreeNX-kNX mailing list