NAME

squidefender - A tool to warn ISPs of proxy abusing hosts.

SYNOPSIS

squidefender

DESCRIPTION

Squidefender is a perl script which parses a squid log file in native format for attacks. If it finds an attack is sends a complaint email to the ISP of the attacker. It also has the option to execute an external command to take other actions. This can for example be used to automatically adapt your firewall when an attack has occured. The complaint function of squidefender is largely based on the code of wormwarner. The power of squidefender lays in it configuration options which let you easily add new attacks to scan for. Another interesting option of squidefender is that it gives you the ability to use different message templates based on the attack found.

CONFIGURATION FILE

Configuration files are standard ascii(7) text files that may be created or edited using any standard editor. Blank lines and lines that begin with a pound sign ('#') are ignored. Any other lines are considered to be configuration lines, and have the form ``Keyword=Value'', where the ´Keyword´ is one of the currently available configuration keywords defined below, and 'Value' is the value to assign to that particular option. The file squidefender.conf provided with the distribution contains useful documentation and examples as well. You can change this file to suit your needs. The configuration file however should be called squidefender.conf and be in the same directory as squidefender.pl.

General Configuration Keywords

backup: If set a backup of backupfile will be stored to backupfile.bak before executing firewallcommand. After this execution backupfile is restored if and only if the size of backupfile is smaller then the size of backupfile.bak.
backupfile: Specifies the file to backup. See backup.
bcc: A comma separeted list of address which should get a blind carbon copy of the warnings send.
blocktime: The number of days that a given attacker will be blocked when he matches a given template. The format of this option is blocktime=TemplateID=<days> After blocktime has passed firewallremove is executed for the given IP.
cc: A comma separeted list of address which should get a carbon copy of the warnings send.
database: The file in which to store the information about warnings. This file is a GDBM database. If the file does not exists it will be created.
firewallcommand: The command to execute for every host that is infected or has attacked us. $IP$ in the command is substituted with the ip-number of that host. Note that you might have to use the full path to the command. Also make sure that you have enough permissions to execute the command. See the squidefender.conf file for examples.
firewallremove: The command to execute for every host for which blocktime has passed. $IP$ in the command is substituted with the ip-number of that host. Note that you might have to use the full path to the command. Also make sure that you have enough permissions to execute the command. See the squidefender.conf file for examples.
from: The email address of the sender of the warning messages.
host: The hostname of the sending host. The default value is the result of (gethostbyname 'localhost')[0].
htmlout: If definded a html version of the logfile will be created in the file defined by htmlout. This makes it easy to publish results of your actions on a website.
ipignore: Describes a ip pattern to ignore when sending warnings. This ip pattern is a perl regular expression. i.e. ^192\.168\.0\. ignores all ips in the range 192.168.0.0 till 192.168.0.255. This option may be used as often as necessary.
ipinfo: Contains the location of the ipinfo file.
isp_pending: The number of days that have to pass be fore a new complaint is send to an ISP over an IP when a previous warning has been send.
logfile: The file in which we store the results of what we do.
mailhost: The host we use to send mail. If not definded the value of host is used.
pattern: Describes a pattern to look for. A pattern is an ID followed by a Perl regular expression. The ID and the regular expression should be seperated by a =. See the squidefender.conf file for examples. This option may be used as often as necessarry. Note that the ID for each pattern SHOULD be unique.
squidlog: The squid logfile we want to parse.
subject: The subject of the warning messages we send.
template: Points to a file with the message template for that ID. A template may contain the strings $HOST$, $COUNT$, $LOCAL$ and $LINE$. $HOST$ is replaced by the ip-number of the offending host. $COUNT$ is replaced by the number of offences found. $LOCAL$ is replaced by your local hostname and $LINE$ is replaced by all lines that prove the offence. See message.txt for an example. The format of a template line is template=ID=path/to/file. For each pattern there SHOULD be a template file with the same ID.
timestamp: The location of the timestamp file. This file contains a timestamp in seconds since the epoch. This timestamp is used to determine where we stopped after the last execution. When using squidefender for the first time you probably want to set this to a reasonable value. Also make sure that you HAVE WRITE ACCESS to the timestamp file.

AUTHORS

Written by Jeroen van Nieuwenhuizen and Jasper O Waale.

REPORTING BUGS