New port: hunch - Scan httpd log files, find vulnerability probes,

mail admins

	Scan Apache log files for CodeRed, Nimda, FormMail, proxy
	scanners and other malicious probes. For each one found,
	track down the contact email from WHOIS data and send a
	notice. Built-in rate controls prevent flooding an admin
	even when his machines are scanning at high rates. Runs as
	a non-privileged cron job to not interfere with the HTTP
	daemon's operation.

	Notes to committer:
	 1. This port installs a user and a group "hunch". It doesn't
	 meet the conditions listed in the handbook for a "reserved"
	 uid/gid.
	 2. portlint will complain about the port. A lot. To the
	 best of my judgment all of the warnings can be ignored
	 with the exception of the one about BATCH which I could
	 find no documentation for. Therefore it is setting
	 IS_INTERACTIVE.

PR:		ports/44836
Submitted by:	Dan Pelleg <daniel+hunch@pelleg.org>

8 files changed, 378 insertions, 0 deletions

diff --git a/security/Makefile b/security/Makefile
index ef28df72dcaf..fb074cd29fb8 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -101,6 +101,7 @@
     SUBDIR += hlfl
     SUBDIR += hostsentry
     SUBDIR += hping
+    SUBDIR += hunch
     SUBDIR += hydra
     SUBDIR += ident2
     SUBDIR += identify
diff --git a/security/hunch/Makefile b/security/hunch/Makefile
new file mode 100644
index 000000000000..a38d2535da68
--- /dev/null
+++ b/security/hunch/Makefile
@@ -0,0 +1,33 @@
+# New ports collection makefile for: hunch
+# Date created:		26 October 2002
+# Whom:			Dan Pelleg <daniel+hunch@pelleg.org>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	hunch
+PORTVERSION=	1.0
+CATEGORIES=	security
+MASTER_SITES=	http://web.cs.cmu.edu/~dpelleg/download/
+
+MAINTAINER=	daniel+hunch@pelleg.org
+COMMENT=	Scan httpd log files, find vulnerability probes, mail admins
+
+RUN_DEPENDS=	${SITE_PERL}/Net/SMTP.pm:${PORTSDIR}/net/p5-Net
+
+IS_INTERACTIVE=	yes
+WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
+NO_PACKAGE=	too interactive
+NO_BUILD=	true
+USE_PERL5=	YES
+
+do-install:
+	@${ECHO_MSG} "Installing files"
+	@${INSTALL_DATA} ${WRKSRC}/etc/hunch-special ${PREFIX}/etc
+	@${INSTALL_SCRIPT} ${WRKSRC}/bin/complain-httpd ${PREFIX}/bin
+	@${INSTALL_SCRIPT} ${WRKSRC}/bin/contact ${PREFIX}/bin
+
+post-install:
+	@PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+
+.include <bsd.port.mk>
diff --git a/security/hunch/distinfo b/security/hunch/distinfo
new file mode 100644
index 000000000000..512ad4823bc0
--- /dev/null
+++ b/security/hunch/distinfo
@@ -0,0 +1 @@
+MD5 (hunch-1.0.tar.gz) = a5abf88c516e341cda723aaddfdc6aa6
diff --git a/security/hunch/pkg-deinstall b/security/hunch/pkg-deinstall
new file mode 100644
index 000000000000..96e410359c9c
--- /dev/null
+++ b/security/hunch/pkg-deinstall
@@ -0,0 +1,97 @@
+#! /bin/sh
+
+#
+# Adapted from pkg-deinstall in net/cvsup-mirror,
+# presumably by jdp@FreeBSD.org
+#
+
+user=hunch
+group=hunch
+
+ask() {
+    local question default answer
+
+    question=$1
+    default=$2
+    if [ -z "${PACKAGE_BUILDING}" ]; then
+	read -p "${question} [${default}]? " answer
+    fi
+    if [ x${answer} = x ]; then
+	answer=${default}
+    fi
+    echo ${answer}
+}
+
+yesno() {
+    local dflt question answer
+
+    question=$1
+    dflt=$2
+    while :; do
+	answer=$(ask "${question}" "${dflt}")
+	case "${answer}" in
+	[Yy]*)		return 0;;
+	[Nn]*)		return 1;;
+	esac
+	echo "Please answer yes or no."
+    done
+}
+
+delete_account() {
+    local u g home
+
+    u=$1
+    g=$2
+    if yesno "Do you want me to remove group \"${g}\"" y; then
+	pw groupdel -n ${g}
+	echo "Done."
+    fi
+    if yesno "Do you want me to remove user \"${u}\"" y; then
+	eval home=~${u}
+	pw userdel -n ${u}
+	echo "Done."
+	if [ -d "${home}" ]; then
+	    echo "Please remember to remove the home directory \"${home}\" as"
+	    echo "well as the mirrored files."
+	fi
+    fi
+}
+
+if [ x$2 != xDEINSTALL ]; then
+    exit
+fi
+
+export PATH=/bin:/usr/bin:/usr/sbin
+
+if ps -axc | grep -q complain-httpd; then
+    if yesno "There are some complain-httpd processes running.  Shall I kill them" y
+    then
+	killall complain-httpd
+	sleep 2
+    else
+	echo "OK ... I hope you know what you are doing."
+    fi
+fi
+
+tmp="/etc/#hunch$$"
+trap "rm -f ${tmp}" 0 1 2 3 15
+
+rm -f /var/db/hunch-timestamp
+
+if yesno "Do you want me to remove scheduled complaints from \"/etc/crontab\"" y
+then
+    sed "/complain-httpd/d" /etc/crontab >${tmp} || exit
+    chmod 644 ${tmp}
+    mv ${tmp} /etc/crontab || exit
+    echo "Done."
+fi
+
+if yesno "Do you want me to remove the hunch log entry from \
+\"/etc/newsyslog.conf\"" y; then
+    sed "/hunch\.log/d" /etc/newsyslog.conf >${tmp} || exit
+    chmod 644 ${tmp}
+    mv ${tmp} /etc/newsyslog.conf || exit
+    echo "Done."
+fi
+
+delete_account ${user} ${group}
diff --git a/security/hunch/pkg-descr b/security/hunch/pkg-descr
new file mode 100644
index 000000000000..ae7c9b23ca62
--- /dev/null
+++ b/security/hunch/pkg-descr
@@ -0,0 +1,9 @@
+Scan Apache log files for CodeRed, Nimda, FormMail, proxy scanners and
+other malicious probes. For each one found, track down the contact email
+from WHOIS data and send a notice. Built-in rate controls prevent flooding
+an admin even when his machines are scanning at high rates. Runs as a
+non-privileged cron job to not interfere with the HTTP daemon's operation.
+
+-- Dan Pelleg
+
+daniel+hunch@pelleg.org
diff --git a/security/hunch/pkg-install b/security/hunch/pkg-install
new file mode 100644
index 000000000000..4201da498933
--- /dev/null
+++ b/security/hunch/pkg-install
@@ -0,0 +1,229 @@
+#! /bin/sh
+
+#
+# Adapted from pkg-install in net/cvsup-mirror,
+# presumably by jdp@FreeBSD.org
+#
+
+user=hunch
+group=hunch
+
+interval=4
+
+ask() {
+    local question default answer
+
+    question=$1
+    default=$2
+    if [ -z "${PACKAGE_BUILDING}" ]; then
+	read -p "${question} [${default}]? " answer
+    fi
+    if [ x${answer} = x ]; then
+	answer=${default}
+    fi
+    echo ${answer}
+}
+
+yesno() {
+    local dflt question answer
+
+    question=$1
+    dflt=$2
+    while :; do
+	answer=$(ask "${question}" "${dflt}")
+	case "${answer}" in
+	[Yy]*)		return 0;;
+	[Nn]*)		return 1;;
+	esac
+	echo "Please answer yes or no."
+    done
+}
+
+make_account() {
+    local u g gcos homeopt home
+
+    u=$1
+    g=$2
+    gcos=$3
+    homeopt=${4:+"-d $4"}
+
+    if pw group show "${g}" >/dev/null 2>&1; then
+	echo "You already have a group \"${g}\", so I will use it."
+    else
+	echo "You need a group \"${g}\"."
+	if which -s pw && yesno "Would you like me to create it" y; then
+	    pw groupadd ${g} || exit
+	    echo "Done."
+	else
+	    echo "Please create it, and try again."
+	    if ! grep -q "^${u}:" /etc/passwd; then
+		echo "While you're at it, please create a user \"${u}\" too,"
+		echo "with a default group of \"${g}\"."
+	    fi
+	    exit 1
+	fi
+    fi
+    
+    if pw user show "${u}" >/dev/null 2>&1; then
+	echo "You already have a user \"${u}\", so I will use it."
+    else
+	echo "You need a user \"${u}\"."
+	if which -s pw && yesno "Would you like me to create it" y; then
+	    pw useradd ${u} -g ${g} -h - ${homeopt} \
+		-s /nonexistent -c "${gcos}" || exit
+	    echo "Done."
+	else
+	    echo "Please create it, and try again."
+	    exit 1
+	fi
+    fi
+
+    if [ x"$homeopt" = x ]; then
+	eval home=~${u}
+	if [ ! -d "${home}" ]; then
+	    if yesno \
+		"Would you like me to create ${u}'s home directory (${home})" y
+	    then
+		(umask 77 && \
+		    mkdir -p ${home}/) || exit
+		chown -R ${u}:${g} ${home} || exit
+	    else
+		echo "Please create it, and try again."
+		exit 1
+	    fi
+	fi
+    fi
+}
+
+case $2 in
+
+POST-INSTALL)
+    # . ${base}/config.sh || exit
+
+    if which -s pw && which -s lockf; then
+	:
+    else
+	cat <<EOF
+
+This system looks like a pre-2.2 version of FreeBSD.  I see that it
+is missing the "lockf" and/or "pw" utilities.  I need these utilities.
+Please get them and install them, and try again.  You can get the
+sources from:
+
+  ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.bin/lockf.tar.gz
+  ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz
+
+EOF
+	exit 1
+    fi
+
+    echo ""
+    make_account ${user} ${group} "Probe-griping user" "/nonexistent"
+ 
+    echo "Fixing ownerships and modes"
+    chown ${user}:${group} ${PREFIX}/etc/hunch-special
+    misc_files="/var/db/hunch-timestamp /var/log/hunch.log"
+    touch $misc_files
+    chown ${user}:${group} $misc_files
+    chmod 664 ${PREFIX}/etc/hunch-special $misc_files
+
+    echo ""
+    if grep -q "^[^#]*/var/log/hunch.log" /etc/newsyslog.conf; then
+	echo -n "It looks like you already have some logging set up, so I "
+	echo "will use it."
+    else
+	if yesno "Would you like me to set up log rotation" y; then
+	    echo "Adding hunch log entry to \"/etc/newsyslog.conf\"."
+	    cat <<EOF >>/etc/newsyslog.conf
+/var/log/hunch.log	hunch:hunch		644  3    100    *    Z
+EOF
+	    echo "Done."
+	else
+	    cat <<EOF
+OK, please remember to do it yourself.  You should add an entry to
+"/etc/newsyslog.conf".
+EOF
+	fi
+    fi
+
+    echo ""
+    if grep -q "^[^#]*${PREFIX}/bin/complain-httpd" /etc/crontab; then
+	echo "It looks like your crontab is already set up, so I'll use that."
+    else
+	if [ ${interval} -eq 1 ]; then
+	    updstr="hourly complaints"
+	else
+	    updstr="complaints every ${interval} hours"
+	fi
+	if yesno "Would you like me to set up your crontab for ${updstr}" y
+	then
+	    echo "Scheduling ${updstr} in \"/etc/crontab\"."
+	    delay=5
+	    now=$(date "+%s")
+	    start=$((${now} + ${delay}*60))
+	    hh=$(date -r ${start} "+%H")
+	    mm=$(date -r ${start} "+%M")
+	    h=$((${hh}))
+	    m=$((${mm}))
+	    if [ ${interval} -eq 1 ]; then
+		hstr="*"
+	    else
+		h0=$((${h} % ${interval}))
+		if [ ${interval} -eq 24 ]; then
+		    hstr=${h0}
+		else
+		    h1=$((${h0} + 24 - ${interval}))
+		    hstr=${h0}-${h1}/${interval}
+		fi
+	    fi
+	    cat <<EOF >>/etc/crontab
+${m}	${hstr}	*	*	*	${user} ${PREFIX}/bin/complain-httpd /var/log/httpd-access.log >> /var/log/hunch.log 2>&1
+EOF
+	    cat <<EOF
+Done.
+EOF
+	else
+	    cat <<EOF
+OK, please remember to do it yourself.  The crontab entry should run
+"${PREFIX}/bin/complain-httpd /var/log/htppd-access.log" as user ${user}
+EOF
+	fi
+    fi
+
+    echo ""
+	if yesno "Would you like me to set up the sender's address as it appears on outgoing complaints" y; then
+        host=`hostname`
+        sender=$(ask "Enter sender's email address" "root@$host" )
+        tmp="${PREFIX}/bin/#complain-httpd$$"
+        trap "rm -f ${tmp}" 0 1 2 3 15
+        sed "s/sender = ''/sender = '$sender'/" ${PREFIX}/bin/complain-httpd >${tmp} || exit
+        chmod 755 ${tmp}
+        mv ${tmp} ${PREFIX}/bin/complain-httpd || exit
+	    echo "Done."
+	else
+	    cat <<EOF
+OK, please remember to do it yourself.  You should modify the "my \$sender=''"
+line in "${PREFIX}/bin/complain-httpd".
+EOF
+    fi
+
+    echo ""
+    echo "I can enable hunch right now, or leave it in parse-only mode"
+    echo "which will scan the logs and determine the contacts, but"
+    echo "will not actually send any mail."
+	if yesno "Would you like me enable hunch in mail-sending mode" y; then
+        nomail=0
+    else
+        nomail=1
+    fi
+    tmp="${PREFIX}/bin/#complain-httpd$$"
+    trap "rm -f ${tmp}" 0 1 2 3 15
+    sed "s/no_mailing = .*;/no_mailing = $nomail;/" ${PREFIX}/bin/complain-httpd >${tmp} || exit
+    chmod 755 ${tmp}
+    mv ${tmp} ${PREFIX}/bin/complain-httpd || exit
+	echo "OK."
+
+    echo ""
+    echo "You are now hunch-enabled"
+    ;;
+esac
diff --git a/security/hunch/pkg-message b/security/hunch/pkg-message
new file mode 100644
index 000000000000..d2058969cbdb
--- /dev/null
+++ b/security/hunch/pkg-message
@@ -0,0 +1,5 @@
+Note that some WHOIS servers have specific
+terms of use, which they assume you to have
+accepted by issuing a query. Do not use
+this package if you do not agree to those
+licenses.
diff --git a/security/hunch/pkg-plist b/security/hunch/pkg-plist
new file mode 100644
index 000000000000..6d8726cf961c
--- /dev/null
+++ b/security/hunch/pkg-plist
@@ -0,0 +1,3 @@
+bin/complain-httpd
+bin/contact
+etc/hunch-special