LMF 0.5

LMF project is a flexible log monitoring framework that allows the user to match text from log files, using perl regular expressions and capturing parentheses (pattern).
An optional external command (trigger) will be executed when a user-specified number of matches (threshold) is found within a user-specified period (within). In additon to the trigger, the rule can also have a message associated with it (message); when the rule is triggered, that message will be logged to the LMF log file.
Each rule can also have a duration associated with it (duration); after a rule has been triggered and the duration has expired, an optional external command (release) will be run.
Example Rule
[SSH - Too many login failures]
file = /var/log/secure
pattern = Failed password for (S+) from (S+)
threshold = 4
within = 1m
duration = 10m
trigger = /usr/local/lmf/actions/fw drop %2
release = /usr/local/lmf/actions/fw allow %2
message = %name for %1 from %2 - %count in %time secs (%threshold/h %within/s)
The above line will dynamically block for 10 minutes the IP address associated with a user who fails to successfully login to the server with SSH using a single username more than 4 times in one minute.
For example, lets imagine user harry tries to log in 5 times from IP address 192.168.3.220 in 45 seconds using an invalid password.
The following message would be logged to LMFS system log file:
SSH - too many login failures for harry from 192.168.3.220 - 5 in 45 secs (4/h 60/s)
After the message is logged, the command specified in trigger will be run, which in this case would expand to be:
/usr/local/lmf/action/fw drop 192.168.3.220
After 10 minutes, the following release command would be run:
/usr/local/lmf/action/fw allow 192.168.3.220
Main features:
- Flexible pattern matching system, uses perl regular expressions and allows the user to identify unique log activity patterns using capturing parenthesis.
- Custom trigger and release scripts can be associated with rules; the trigger is called when a rule threshold is met, the release is called after the duration of a rule has expired.
- Triggers, messages, and releases can all contain information taken from the live match.
- Flexible configuration system; all files in the configuration directory that end in .conf will be read by LMF upon startup (like placing configuration files in /etc/httpd/conf.d/ with Apache on Linux).
- Included fw (iptables drop/allow) script includes APF (Advanced Policy Firewall) integration code to allow LMF to whitelist any IP addresses / CIDR subnets specified in APFs allow_hosts.rules config file. Also includes a local whitelist if you wish to just allow hostss through LMF and not also exclude them from APF.
- Rule configurations can be read from a central server via HTTP/HTTPS with or without Apache authentication.
Enhancements:
Code
Updated fw script with new features
- Will look for QUIET variable in environment, setting QUIET t0 makes fw script verbose for debugging
- Integrated APF integration code; LMF will whitelist any hosts listed as whitelisted in the /etc/apf/allow_hosts.rules file
- Integrated local white list functionality; LMF will white list any hosts listed in the LMF white list file (configured at the top of the fw script) .. this allows you tjust bypass LMF checks while still keeping APF rules in place.
Rules
- Added iptables.conf rule file with basic port scanning rule that matches output from iptables
- Fixed message variable problem with SSH brute force, variables were out of order for user and IP address.