Pylogsparser : visualizing ssh attacks in video

Wallix logoIn this article we will show another possible application for the pylogsparser library. We will also discover a simple way to draw and use world maps with python. You should read the previous article in this series if you haven’t done so, since we will use what we have done there as a starting point.

Here at Wallix, we have set up a SSH honeypot for testing and analysis purposes. It always amazes me how often this machine gets randomly attacked on this service, and how the brute-force attacks even started mere minutes after the SSH server was up. In our previous article, we’ve gained insight on the origins of attacks and targeted accounts with a classic pie chart. This time, I would like to have a visual way to represent and understand a typical day of brute force attempts. We could picture that as a world map where a country lights up when an attacker from this country tries to gain access to the honeypot. There will be a world map drawn for every moment of the day, and then the resulting pictures will be aggregated into a timelapse animation.

Before we get to work, here are the elements we need :

  • obviously, a ssh log file ! It should span a full day for accuracy.
  • the pylogsparser library along with the GeoIP library. Since pylogsparser 0.3, the geoIP conversion has been included in the library so the countries are already tagged when available, if the GeoIP library is installed !
  • the matplotlib library, and more specifically the Basemap optional extension that can be found here : http://matplotlib.sourceforge.net/basemap/doc/html/ Follow the installation instructions there, as unfortunately this extension is not always packaged for easy deployment.
  • the numpy library, but it is optional as we will use it only with matplotlib’s color maps. It should be installed along matplotlib anyway.
  • a shapefile describing countries borders (more on that later). For this article, I am using the one freely available at http://thematicmapping.org/downloads/world_borders.php. It is probably not the most accurate nor up-to-date dataset, but it is more than enough for our project.
  • python libraries for manipulating shapefile datasets. In this article, we will use pyshapelib : http://ftp.intevation.de/users/bh/ but there are many other libraries available, as pyshapelib hasn’t been maintained in a little while. See this article’s comments for details : http://www.geophysique.be/2011/01/27/matplotlib-basemap-tutorial-07-shapefiles-unleached/ (incidentally, this article was the inspiration for this work)
  • ffmpeg, or anything that can make a timelapse animation out of still pictures.

Now that we’ve got everything, let’s get to work !

Continue reading

Posted in log, ssh | Tagged , , , | Leave a comment

Announcing PyLogsParser 0.4

Wallix logo Wallix LogBox team is happy to announce version 0.4 of PyLogsParser.
Continue reading

Posted in development, log | Tagged , , | Leave a comment

Automatic installation of Debian Squeeze from a USB flash drive

debian logo

In this post you are going to learn how to build a USB Flash Drive that contains a fully automated Debian installation system. At Wallix this installation system is used in addition to our traditional PXE/preseed system to deploy our products Wallix LogBox and Wallix AdminBastion.

Continue reading

Posted in linux | Tagged , , , , | Leave a comment

Announcing PyLogsParser 0.3

Wallix logo Wallix LogBox team is happy to announce version 0.3 of PyLogsParser.

Version 0.3 is a minor release and brings the following new log format normalizers :

Continue reading

Posted in development, log | Tagged , , | Leave a comment

Deskolo project: open source Green IT solution

Deskolo logo

In a previous article we described how we model power consumption in the Deskolo project. In this article we’ll see how we use the standard technology Wake-On-Lan to save on the energy bill.

Continue reading

Posted in green computing | Tagged , , | Leave a comment

Restricting remote commands over ssh

openssh logo

In this post you will see how to restrict commands executed on a remote server accessed via ssh for a particular user. You can have multiple reasons to do this:

  • you may want some accounts to be able to do some interactive stuff but not everything and access only some files and directories.
  • you may want to use an ssh key without password (look at a previous article to setup ssh keys) to automate things like backup or version control but you don’t want to expose other commands

Continue reading

Posted in linux, ssh | Tagged , , | Leave a comment

Extending RobotFramework to check emails

RobotFramework logo

In the two first tutorials (How to use RobotFramework With SeleniumLibrary and How to use RobotFramework Part 2), Mathieu Bultel showed us how to use Robot Framework to test your web applications. Unfortunately, Robot Framework doesn’t always give you means to test want you’d want to. To compensate for, Robot Framework lets us create our own test libraries.

Our goal in this tutorial will be to learn how to create those test libraries and how to use them in your test suites. This tutorial will only give the Python way of creating your libraries however they can be implemented using Java if you run Jython. I’ll assume you know at least a bit of Python during this tutorial. If you don’t, Robot Frameworks gives a great tutorial on how to begin with Python. I advise you to keep it somewhere near so you can understand what is going on throughout this guide.

Finally, if you want some more tips about this subject please go read Robot Framework user guide.

Continue reading

Posted in development, test | Tagged , , | Leave a comment

PyLogsParser: how to write a normalizer

Wallix logo

We saw in a previous article how to use the PyLogsParser library in order to analyze connection logs from a SSH server. This was a simple, basic usage of the library. In this article, we will go further and see how we can extend the parsing power of PyLogsParser by writing a new normalizer definition file.

For this, we will continue exploring authentication issues and focus on a useful application called Fail2ban.

Continue reading

Posted in development, log, ssh | Tagged , , , , , | Leave a comment

Pylogsparser : a use case, analysing ssh attacks

Wallix logo In this article we will see how easy it is to use the pylogsparser library through a simple use case. It should help you start working on your own project involving log analysis.

Continue reading

Posted in development, log, ssh | Tagged , , , , , | Leave a comment

How to use Linux containers (lxc) under Debian Squeeze

debian logo

In this article, you will learn what is virtualization, why use it and how to use one kind of virtualization, Linux containers (aka lxc) under Debian Squeeze.

Continue reading

Posted in linux | Tagged , , , | Leave a comment