Merge branch 'master' into warden-server-2.2

packages/build-server.sh

@@ -24,7 +24,7 @@ err()
 #-------------------------------------------------------------------------------
 
 # edit when you build new package
-version="2.1"
+version="2.1-beta5"
 
 package_name="warden-server"
 package="${package_name}-${version}"
@@ -45,7 +45,6 @@ mkdir -p $package 2> $err || err
 cp ../src/${package_name}/sh/install.sh $package 2> $err || err
 cp ../src/${package_name}/sh/update.sh $package 2> $err || err
 cp ../src/${package_name}/sh/uninstall.sh $package 2> $err || err
-cp ../src/${package_name}/sh/uninstall.sh $package 2> $err || err
 cp ../src/${package_name}/doc/AUTHORS $package 2> $err || err
 cp ../src/${package_name}/doc/CHANGELOG $package 2> $err || err
 cp ../src/${package_name}/doc/INSTALL $package 2> $err || err
@@ -69,7 +68,6 @@ echo "OK"
 echo -n "Building '${etc}' directory ... "
 mkdir -p $etc 2> $err || err
 cp ../src/${package_name}/etc/package_version $etc 2> $err || err
-cp ../src/${package_name}/etc/warden-apache.conf $etc 2> $err || err
 echo "OK"
 
 echo -n "Building '${lib}' directory ... "

packages/warden-server-2.1-beta4.tar.gz.sig

+3bf719d1f0887f7feb394aafc8a85b48a66e2498  warden-server-2.1-beta4.tar.gz

packages/warden-server-2.1-beta5.tar.gz.sig

+e4e6cd82c07aa02f4a73aa37f5da13e7d04ab0fe  warden-server-2.1-beta5.tar.gz

packages/warden-server-2.1.tar.gz.sig

-ffa7243c2da0426c97abd5e8830c1efbf2aacef0  warden-server-2.1.tar.gz

src/contrib/networkReporter-client/networkReporter.pl

+#!/usr/bin/perl
+#
+#  networkReporter.pl - Warden client for communication with RT ticketing system
+# 
+#  Copyright (C) 2012 Masaryk University
+#  Author(s): Jakub CEGAN <cegan@ics.muni.cz>
+#
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions are met:
+#
+#   * Redistributions of source code must retain the above copyright notice,
+#     this list of conditions and the following disclaimer.
+#   * Redistributions in binary form must reproduce the above copyright notice,
+#     this list of conditions and the following disclaimer in the documentation
+#     and/or other materials provided with the distribution.
+#   * Neither the name of Masaryk University nor the names of its contributors may be
+#     used to endorse or promote products derived from this software without
+#     specific prior written permission.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+#  POSSIBILITY OF SUCH DAMAGE.
+#
+
+use warnings;
+use strict;
+
+use lib '/opt/warden-client';
+use Email::Simple;
+use Sys::Hostname;
+use Text::Wrap;
+use DateTime;
+
+
+sub sendmailWrapper{
+  my $message = shift;
+
+  if(open(my $sendmail, '|/usr/sbin/sendmail -oi -t')){
+    print $sendmail $message;
+    close $sendmail;
+    return 1;
+  } else {
+    return (0, "Sending email failed: $!");
+  }
+}
+
+sub timeToLocal{
+  my $time = shift;
+
+  my ($y,$m,$d,$h,$mm,$s);
+  if(!($$time =~ m/(\d{4})\-(\d{2})\-(\d{2})\ (\d{2})\:(\d{2})\:(\d{2})/)){
+    return (0, "Bad time format!\n");
+  }
+
+  ($y,$m,$d,$h,$mm,$s) = $$time =~ m/(\d{4})\-(\d{2})\-(\d{2})\ (\d{2})\:(\d{2})\:(\d{2})/;
+  eval{
+  my $dt = DateTime->new(
+        year   => $y,
+        month  => $m,
+        day    => $d,
+        hour   => $h,
+        minute => $mm,
+        second => $s,
+        time_zone =>'gmt');
+  $dt->set_time_zone('local');
+  $$time = $dt->strftime('%d. %m. %Y v %H:%M');};
+  if($@){
+    return (0, "Can't convert time to epoch format!\n");
+  }
+  return 1;
+}
+
+#-------------------------------------------------------------------------------
+# reportToRT - fuction for creating tickets in the RT system
+#
+#  param: hash with gateway address and warden event array
+#
+# return: ok || fail
+#-------------------------------------------------------------------------------
+sub reportToRT{
+
+  my $inputData  = shift;
+  my $toGateway  = $$inputData{'gateway'};
+  my @event      = @{$$inputData{'data'}};
+
+  my $fromHostname;
+  my $message;
+  my ($rc, $err);
+
+  if(!($toGateway)){
+    return (0, "Empty 'To' email header!\n");
+  }
+
+  eval{
+    $fromHostname = hostname();
+    if(!($fromHostname =~ m/\.ics\.muni\.cz/gi)){
+      $fromHostname .= '.ics.muni.cz';
+    }
+  };
+  if($@){
+    return (0, "Can't retrive hostname for 'From' header!\n");
+  }
+
+  ($rc, $err) = timeToLocal(\$event[3]);
+  if(!$rc){
+    return (0, $err);
+  }
+
+  my $text = "Dobrý den,
+  z Vaší IP adresy $event[6] jsme zaznamenali $event[3] celkem $event[9] pokus(y) o připojení k neexistující službě (tzv. honeypotu). V tomto konkrétním případě se jednalo o protokol $event[7] a port číslo $event[8]. Je pravděpodobné, že se jedná o virus, napadený počítač či zneužitý uživatelský účet. Doporučujeme Vám zkontrolovat zabezpečení tohoto počitače.
+
+  S pozdravem
+
+  CSIRT-MU
+  http://www.muni.cz/csirt";
+
+  eval{
+  $message = Email::Simple->create(
+    header => [
+      To                    => $toGateway,
+      From                  => 'tools@'.$fromHostname,
+      Subject               => 'Pristup na honeypot v siti CESNET'],
+      body => fill('','',$text));
+  };
+  if($@){
+    return (0, "Can't create email message\n");
+  }
+
+  ($rc, $err) = sendmailWrapper($message->as_string);
+  if(!$rc){
+    return (0, $err);
+  }
+  return 1;
+}
+
+
+my $warden_path = '/opt/warden-client';
+
+require $warden_path . '/lib/WardenClientReceive.pm';
+
+my $requested_type = "portscan";
+my $ip_reg = '147\.251\.\d+\.\d+';
+my $client = 'CESNET_IDS';
+my $gateway = 'rt@rt-devel.ics.muni.cz';
+
+$Text::Wrap::columns = 90;
+
+
+my $logger;
+my @new_events;
+
+@new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type);
+#@new_events = (["5179620","au1.cesnet.cz","CESNET_IDS","2012-11-08 17:04:56","portscan","IP","147.251.216.8","XXX","666","2","","0","720"]);
+foreach (@new_events) {
+  my @event = @$_;
+
+  if(($event[6] =~ /^$ip_reg$/i) and ($event[2] =~ /^$client$/i)){
+    my %input = (gateway => $gateway, data => \@event);
+    my ($rc,$err) = reportToRT(\%input);
+    if(!$rc){
+      #print "ERR: $err\n";
+      syslog("err|Warden client - networkReporter $err\n");
+    }
+  }
+}
+
+exit 0;

src/warden-server/bin/wardenWatchdog.pl

+#!/usr/bin/perl
+#
+# WardenWatchdog.pl
+#
+# Copyright (C) 2011-2012 Cesnet z.s.p.o
+#
+# Use of this source is governed by a BSD-style license, see LICENSE file.
+
+
+use WardenConf;
+use strict;
+use warnings;
+use DBI;
+use DBD::mysql;
+use DateTime;
+#use Email::Simple;
+use Sys::Hostname;
+use Text::Wrap;
+use Data::Dumper;
+
+sub sendmailWrapper{
+  my $message = shift;
+
+  if(open(my $sendmail, '|/usr/sbin/sendmail -oi -t')){
+    print $sendmail $message;
+    close $sendmail;
+    return 1;
+  } else {
+    return (0, "Sending email failed: $!");
+  }
+}
+
+# Array of hashes
+#{query => ; text => ; contact => }
+
+# Get clients admins
+sub sendReport{
+
+  my $input_data  = shift;
+  my $contact    = $$input_data{'contact'};
+  my $domain     = $$input_data{'domain'};
+  my $text       = $$input_data{'text'};
+
+  my $from_hostname;
+  my $message;
+
+  if(!($contact)){
+    return (0, "Empty 'To' email header!\n");
+  }
+
+  $domain =~ s/\./\./;
+
+  eval{
+    $from_hostname = hostname();
+    if(!($from_hostname =~ m/$domain/gi)){
+      $from_hostname .= $domain;
+    }
+  };
+  if($@){
+    return (0, "Can't retrive hostname for 'From' header!\n");
+  }
+
+  eval{
+  #$message = Email::Simple->create(
+    #header => [
+      #To                    => $contact,
+      #From                  => 'warden_watchdog@'.$from_hostname,
+      #Subject               => 'Kotrola stavu udalosti na Wardenu'],
+      #body => fill('','',$text));
+  };
+  if($@){
+    return (0, "Can't create email message\n");
+  }
+
+  print "== $contact ==\n$text\n";
+  my ($rc, $err) = 1;#sendmailWrapper($message->as_string);
+  if(!$rc){
+    return (0, $err);
+  }
+  return 1;
+}
+
+sub connect_to_DB {
+
+  my $dbPlatform = 'mysql';
+  my $dbName     = 'warden';
+  my $dbHostname = 'localhost';
+  my $dbUser     = 'root';
+  my $dbPasswd   = 'w4rd3n&r00t';
+
+  my $dbhRef = shift;
+  my $dbh;
+
+  if($dbh = DBI->connect( "dbi:$dbPlatform:database=$dbName;host=$dbHostname", $dbUser, $dbPasswd, {RaiseError => 1, mysql_auto_reconnect => 1})){
+    $$dbhRef = $dbh;
+    return 1;
+  }
+  else{
+    return (0,"Cannot connect to database! ".DBI->errstr);
+  }
+}
+
+sub sendQuery{
+
+  my $configRef = shift;
+  my $eventsRef = shift;
+
+  my @config = @{$configRef};
+  my %bad_events;
+  my ($rc,$err);
+  my $dbh;
+
+  my $i = 0;
+  # connect to DB
+  ($rc,$err) = connect_to_DB(\$dbh);
+  if (!$rc){
+    return (0, $err);
+  }
+
+  while ($i < scalar(@config)) {
+    my $contact;
+
+    # run DB query -> requestor, client name
+    my $sth;
+    if (defined($config[$i]{query})){
+      $sth = $dbh->prepare($config[$i]{query});
+    }
+    else{
+      return (0, "No query availble\n");
+    }
+
+    if (!($sth->execute)){
+      return (0, "Couldn't get data from my database: $sth->errstr\n");
+    };
+
+    my @result;
+    while(@result = $sth->fetchrow()){
+      if (defined($config[$i]{contact})){
+        $contact = $config[$i]{contact};
+      }
+      else{
+        $contact = "from_db\@$result[0]";
+      }
+      $bad_events{$contact} .= $config[$i]{text} . "DB INFO: ". join(', ',@result) ."\n";
+    }
+    $sth->finish;
+    $i++;
+  }
+  # disconnect to DB
+  $dbh->disconnect;
+
+  %$eventsRef = %bad_events;
+
+  return 1;
+}
+
+
+sub run{
+
+  my $domain = shift;
+  my $period = shift;
+
+  my $date;
+
+  eval{
+    my $dt = DateTime->now();
+    $dt = DateTime->now()->subtract(days => $period);
+    $date = $dt->date();
+  };
+  if($@){
+    print "Warden watchdog - can't work with date\n";
+    #syslog("err|Warden watchdog - can't work with date\n");
+  }
+
+  my @configuration = (
+  {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Hey, this is test of warning for admin!\n"},
+  {query => "SELECT requestor FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '$date' AND type NOT IN ('portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other') AND valid = 't' GROUP BY service) GROUP BY requestor;", text => "Hey, this is test of warning!\n", contact => 'warden-administrator@cesnet.cz'});
+
+  $Text::Wrap::columns = 80;
+
+
+  my %bad_events;
+
+  my $i = 0;
+  while ($i < scalar(@configuration)) {
+    my ($rc,$err) = sendQuery(\@configuration,\%bad_events);
+    if (!$rc){
+      print "Warden watchdog - $err\n";
+      #syslog("err|Warden watchdog - $err\n");
+    }
+    $i++;
+  }
+
+  while (my ($contact, $text) = each(%bad_events)){
+    my %input = (contact => $contact, domain => $domain, text => $text);
+    my ($rc,$err) = sendReport(\%input);
+    if (!$rc){
+      # TODO syslog
+      print $err;
+      #syslog("err|Warden client - networkReporter $err\n");
+    }
+    print "\n\n";
+  }
+}
+
+run('warden-dev.cesnet.cz',7);
+1;

src/warden-server/doc/INSTALL

@@ -88,7 +88,7 @@ D. Post-installation steps
 
  b) Create new database structure
 
-	$ mysql -u <user> -h localhost -p <password> < {warden-server_path}/doc/warden.mysql
+	$ mysql -u <user> -h localhost -p < {warden-server_path}/doc/warden.mysql
 
 
 4) Warden server configuration

src/warden-server/doc/UNINSTALL

@@ -24,13 +24,72 @@ You must be root for running this script.
 B. Uninstallation step
 ----------------------
 
-1) Uninstall Warden server package (default installation path)
+1) Uninstall Warden server package (example for default installation path)
 
 	# /opt/warden-server/uninstall.sh -d /opt
 
 
 C. Post-uninstallation steps
---------------------------
+----------------------------
 
-	# a2dismod ssl 
-	# aptitude remove apache2 mysql-server libapache2-mod-perl2 apache2-mpm-prefork              
+1) Stop Apache server
+
+	# /etc/init.d/apache2 stop
+
+
+2) Disable of mod_ssl module
+	
+	# a2dismod ssl
+
+
+3) Remove Apache server configuration
+
+ a) VirtualHost section configuration
+
+  - remove include parameters from the Warden server configuration file (<warden-server_path>/etc/warden-apache.conf)
+
+        # vim /etc/apache2/sites-enables/default(-ssl)
+
+                <VirtualHost *:443>
+                ... 
+
+                Include /opt/warden-server/etc/warden-apache.conf
+                </VirtualHost>
+
+    
+ b) remove Apache server performance configuration
+
+        # vim /etc/apache2/apache2.conf
+
+                  - prefork module settings
+
+                        <IfModule mpm_prefork_module>
+                                StartServers          2   
+                                MinSpareServers       4   
+                                MaxSpareServers       8   
+                                ServerLimit           700 
+                                MaxClients            700 
+                                MaxRequestsPerChild   0   
+                        </IfModule>
+
+                 - connection settings
+    
+                        Timeout 10
+                        KeepAlive Off
+
+
+4) Drop MySQL database
+
+        $ mysql -u <user> -h localhost -p <password>
+	mysql> DROP DATABASE warden;
+	mysql> exit
+
+
+5) Uninstall unnecessary packages (optional)
+ 
+	# aptitude remove apache2 mysql-server libapache2-mod-perl2 apache2-mpm-prefork
+
+
+6) Start Apache server
+
+	# /etc/init.d/apache2 start

src/warden-server/doc/UPDATE

@@ -35,3 +35,8 @@ C. Post-update steps
 1) Update Warden server database
 
 	$ mysql -u <user> -h localhost -p <password> < {warden-server_path}/doc/warden20to21.patch
+
+
+2) Restart Apache server
+
+	# /etc/init.d/apache2 restart

src/warden-server/doc/warden.mysql

@@ -33,7 +33,7 @@ SET character_set_client = utf8;
 CREATE TABLE `clients` (
   `client_id` int(11) NOT NULL auto_increment,
   `hostname` varchar(256) default NULL,
-  `registered` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
+  `registered` timestamp NOT NULL default '0000-00-00 00:00:00',
   `requestor` varchar(256) default NULL,
   `service` varchar(64) default NULL,
   `client_type` varchar(1) default NULL,
@@ -56,7 +56,7 @@ CREATE TABLE `events` (
   `id` int(11) NOT NULL auto_increment,
   `hostname` varchar(256) default NULL,
   `service` varchar(64) default NULL,
-  `detected` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
+  `detected` timestamp NOT NULL default '0000-00-00 00:00:00',
   `received` timestamp NOT NULL default '0000-00-00 00:00:00',
   `type` varchar(64) default NULL,
   `source_type` varchar(64) default NULL,