![[Up]](/images/navigator/uparrow.png){kind=small}
NAME
SYNOPSIS
DESCRIPTION
OPTIONS
USAGE
CONFIGURATION
LOGGING
SIGNALS
FILES
CAVEATS
SEE ALSO
AUTHOR
NAME
agentsmith − monitor log file for break−in attempts
SYNOPSIS
agentsmith [ −c configfile ] [ −p pidfile ] [ −d ] [ −h | -t | −L | −V ]
DESCRIPTION
agentsmith is a daemon that continuously monitors a log file for break−in attempts by remote hosts. Upon detection of a break−in attempt, it launches a user defined script or application.
The criteria what is considered a break-in attempt can be configured by means of a regular expression. See agentsmith.conf(5) for further information on this.
OPTIONS
The following
options are supported:
−c configfile
File path of the configuration file to use. If not specified, the default /usr/local/etc/agentsmith/agentsmith.conf is used. See also agentsmith.conf(5).
−p pidfile
File path of the file where the PID of the daemon will be written to. If not specified, the default /usr/local/var/agentsmith/agentsmith.pid is used.
|
−d |
Do not fork to background but stay in foreground. Most useful for debugging. | ||
|
−h |
Show a brief help of the supported options. | ||
|
−t |
Check the configuration file and regular expression, and exit. | ||
|
−L |
Show the license and exit. | ||
|
−V |
Show the version and exit. |
USAGE
agentsmith reads the configuration at the default location (see FILES) or at the location provided with the -c option when started. It is recommended to launch agentsmith with the -t option specified after the configuration has been altered in order to identify possible configuration errors.
After successful start agentsmith will fork to background (unless the -d option is provided) and monitor the log file specified in the configuration file. It will only read new lines added to the log file. Lines present in the log file prior starting agentsmith are ignored.
Each new line added to the log file will be matched against the regular expression. If a line matches, agentsmith will read the value from the catching expression which has to be a host IP address (hereafter called ‘‘offending host’’). The offending host will then be remembered by agentsmith. If the offending host exceeds the configured threshold of occurrences within a specified time span, the action script will be called.
The action script is only called once for each offending host that meets the above mentioned criteria.
However, the last seen time stamp will be updated regardless, for each further occurrence of the offending host after the action script has been called.
If an IP address remembered by agentsmith is not seen for a specified amount of time, the action script will be called again and the offending host will be purged from memory.
agentsmith uses no persistent storage for storing offending hosts, thus the information is only kept during the run-time of the process and is lost upon termination.
Action
Script
The action script is called in two cases:
|
1) |
An offending host has triggered the action script as explained above. The script will be invoked by agentsmith with the following arguments: |
<ipaddress> <occurrences> new <sender>
<ipaddress> is the IP address of the offending host, i.e. the IP address that has been caught by the regular expression. <occurrences> is the number of occurrences. The literal word ’new’ is used to indicate that the call of the action script is for a new host. <sender> is the origin of the offending host, i.e. the instance of agentsmith that encountered the offending host (see Networking).
|
2) |
An offending host entry will be purged from memory, due to user request or because it has expired. In either case, the script will be invoked with the following arguments: |
<ipaddress> <occurrences> remove <sender>
<ipaddress>, <occurrences>, and <sender> are the same as in case 1) however <occurrences> may be higher. The literal word ’remove’ is used to indicate that the offending host will be purged from memory.
The action script is the corner stone of agentsmith. You are completely free to put whatever you suits in this file, e.g. commands for updating firewall rules, for sending mails, and so on.
It is important that the execution bit is set (see also chmod(1)) and agentsmith has read and execution access to the file.
Networking
agentsmith can exchange information on offending hosts
with instances running on remote hosts and thus trigger
remote action scripts.
In order to
provide authentication and prevent unauthorized access
agentsmith employs OpenSSL. agentsmith will
only exchange information with a another instance if both
sides can verify the certificate of the peer.
Inform Mode
In inform mode
agentsmith can inform other agentsmith
instances running on remote hosts of offending hosts
detected. It will, however, not inform remote instances when
offending hosts are purged from memory. Further,
agentsmith informs other instances only if the
offending host triggers the action script, any further
occurrence of the offending host will not passed on to
remote instances.
It is possible to specify several agentsmith
instances to be informed about offending hosts.
Server Mode
agentsmith can receive
offending hosts to block from remote agentsmith
instances. Upon receiving offending host informations from
remote instances, the action script of the receiving
agentsmith will be called.
agentsmith can be configured to check remotely received
offending hosts for exclusion, or to ignore the local
exclusion list.
It is possible to run agentsmith in both modes simultaneously.
CONFIGURATION
agentsmith relies on a configuration file for proper operation. The default location of the configuration file is /usr/local/etc/agentsmith/agentsmith.conf. Please see agentsmith.conf(5) for further information about how to configure agentsmith.
LOGGING
The logging facility used by agentsmith is daemon. Regular messages are sent to daemon.info. Error messages are sent to daemon.error. If agentsmith is compiled with debug code, debug messages are sent to daemon.debug.
You may need to adjust the configuration of the system logger in order to catch all messages from agentsmith. Please refer to syslog.conf(5) or your System Manual.
SIGNALS
Following
signals are recognized (see also kill(1)):
SIGHUP
If an exclude file has been specified (see also agentsmith_exclude(5)), its content will be re-read.
SIGUSR1
Request the list of offending hosts. It will be printed to the system log (see also LOGGING).
SIGUSR2
Request that all offending hosts are purged from memory. This will also call the action script with the ’remove’ option.
SIGTERM
Terminate agentsmith gracefully.
FILES
/usr/local/var/agentsmith/agentsmith.pid
The default file path of the PID file. Can be overridden with the -p option.
/usr/local/etc/agentsmith/agentsmith.conf
The default location of the configuration file. Can be overridden with the -c option.
CAVEATS
|
* |
Although calling agentsmith with the -t option shows no error, it is possible that agentsmith does not start because it cannot write the PID file. Please make sure you check the system log after starting agentsmith as daemon to make sure it started successfully. | ||
|
* |
If started as root, agentsmith does not drop root privileges. | ||
|
* |
agentsmith has to be started from an user account with read access to the specified log file, else agentsmith is unable to read the log file and cannot start. | ||
|
* |
Support for IPv6 addresses is implemented but not tested. | ||
|
* |
If the log file is removed during the operation of agentsmith, it will repeatedly suspend for 30 seconds until the file reappears. |
SEE ALSO
agentsmith.conf(5), agentsmith_exclude(5)
AUTHOR
Rafael Ostertag <rafi@guengel.ch>
![[Valid XHTML 1.0]](/images/w3c/valid-xhtml10-blue.png)
![[Valid CSS]](/images/w3c/valid-css2-blue.png)