Last active
January 24, 2017 20:52
-
-
Save trebortech/539b2f365eed0f625ea61ac98db29f58 to your computer and use it in GitHub Desktop.
badlogins beacon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Here are all the files necessary to setup a beacon to monitor bad logins on Linux machines | |
| BEACON SETUP | |
| 1. Copy "badlogins.sls" to /srv/pillar | |
| 2. Update your pillar top file to include the information from "top.sls" | |
| -- You might need to restart the salt-minion agent for the beacon to start immediatly otherwise it could take a few hours. | |
| -- At this point your minions should generate events when a bad login happens | |
| ---> Example event: "event example" | |
| REACTOR SETUP | |
| 1. Copy "logins.sls" to /srv/reactors | |
| 2. Copy "reactors.conf" to /etc/salt/master.d | |
| 3. Restart the master service salt-master restart | |
| -- At this point (if you have slack configured) when a badlogin happens a message will be sent to the "security" slack channel. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| beacons: | |
| btmp: {} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| salt/beacon/minion1/btmp/ { | |
| "_stamp": "2017-01-24T18:35:36.975293", | |
| "data": { | |
| "PID": 0, | |
| "addr": 0, | |
| "exit_status": 0, | |
| "hostname": "ip-10-5-10-10.ec2.internal", | |
| "id": "minion1", | |
| "inittab": "", | |
| "line": "\u0006\u0000\u0000\u0000^\t\u0000\u0000ssh:notty", | |
| "session": 0, | |
| "time": 0, | |
| "type": 0, | |
| "user": "badadmin" | |
| }, | |
| "tag": "salt/beacon/minion1/btmp/" | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # reactor for logins | |
| {% if data['data']['event'] is defined %} | |
| {% set username = data['data']['event']['Account Name'] %} | |
| {% set fromhost = data['data']['event']['Source Network Address'] %} | |
| {% else %} | |
| {% set username = data['data']['user'] %} | |
| {% set fromhost = data['data']['hostname'] %} | |
| {% endif %} | |
| {% set minionid = data['data']['id'] %} | |
| {% set message = username + ' failed to log into ' + minionid + ' from machine ' + fromhost %} | |
| send_message: | |
| runner.slack.post_message: | |
| - channel: security | |
| - message: {{ message }} | |
| - from_name: 'Network Security Guard' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| reactor: | |
| - 'salt/beacon/*/btmp/': | |
| - /srv/reactors/logins.sls |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| base: | |
| 'G@kernel:Linux': | |
| - badlogins |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment