Home
Free Software for Linux, *NIX, and Internet Security
shwatchr: Documentation
shwatchr: The Shell Watcher
---------------------------
shwatchr is released under the GNU Public License (see license information at the end of this document).
Current version is 0.7
Currently security mechanisms on Linux systems includes some great pieces of software such as firewalling code (ipchains) and even stateful firewalling code in the 2.4.x kernel series (iptables), Bastille Linux, tcpwrappers, intrusion detection systems, etc. shwatchr is an additional piece of security software for Linux although it should run on any *NIX that has the finger command. shwatchr is designed to audit the hosts from which remote logins occur via ssh, telnet, etc. Basic architecture: shwatchr is called from the user's shell rc file (~/.bashrc for bash or ~/.tcshrc for tcsh) which is executed anytime a user spawns a shell. Note that if the shell rc file is executed, a successful login has already happened which indicates that the user who is logging in knows the password (unless root is su'ing to your account of course). However, before the prompt is displayed shwatchr is executed and compares the host from which the user is logging in from against a list of hosts (contained in ~/.shwatchr/allowed_hosts). If the host is listed in allowed_hosts, then shwatchr takes no further action, exits, and allows the login to continue unimpeded. If the host is not in allowed_hosts, then shwatchr will either 1) send an email to an account that is not associated with the local user's account informing the user that someone logged into their account from a host that is not authorized, or 2) issue a warning message and then kill all user shells. The action taken (1 or 2) is controlled by normal command line arguments that are passed to shwatchr as it is called from the shell rc file. Note that the action of killing all user shells can be defeated by immediately issuing ^C characters after the password is entered to login (via telnet, ssh, etc.) which will result in shwatchr not being executed. However, if someone has stolen your password (which can happen in various ways especially if you ever use protocols that do not encrypt your password en-route such as ftp or telnet) they will most likely not be expecting a security mechanism such as shwatchr the first time they log into your account, and the warning message issued before the user shells are killed may be enough to discourage them from logging in again. The most useful option however is to send an email to an "offshore" account so that at least you will know that someone logged into your account and then you can go change your password your at earliest convenience. The process of sending the email is done transparently to the user who logged into your account from the unauthorized host.
The finger command is used by shwatchr to determine the hosts from which remote logins come from (does not require that fingerd be running on the localhost).
NOTE: Of course the shwatchr command can always be defeated by an attacker who knows to look for it in the user's shell rc file, but if only one email is sent out the first time the attacker logs in, then shwatchr will have proved its usefulness. shwatchr will be most useful for users with accounts on machines on which they do not have root and hence cannot modify firewall rules, look at logs to see when people log into their account, modify tcpwrapper's hosts.allow/hosts.deny, etc.
Options:
Note that any/all options may be used together, so "~/.shwatchr/shwatchr -v -l -e -k" will keep a log, execute in verbose mode, send email, and kill all shells. For my own purposes the most useful options to use have been "-l -e" so that a log is kept and any unauthorized logins are emailed to the email address I want the alerts sent to.
-v verbose mode issues messages to the shell that inform the user of shwatchr's execution (messages only appear if the user logs into the account from an allowed host... we don't want an unauthorized user to know that shwatchr has been executed).
-l keep a log of shwatchr activity in ~/.shwatchr/log
-e send an email to an email address specified in the config section of shwatchr.
-k kill all user shells upon discovering a login from an un- authorized host.
-h display help.
Installation:
-------------
After untarring the sources, you MUST edit the configuration section of the shwatchr script to make sure that it contains an email you want alerts sent to, and contains appropriate path names for various system commands etc. After getting the configuration section to look like it should, then just run the "install" script, which will append the shwatchr command to your shell rc file (.bashrc for bash, .tcshrc for tcsh, etc.). The install script also _removes_ the directory the sources were gzipped to (~/shwatchr) and instead creates the ~/.shwatchr directory. It is this new directory that holds the shwatchr command, allowed_hosts file, and the log file. By default, the "-e" and "-l" options are passed to the shwatchr script but if want to change this (say you want "-k" and "-v" or "-k" only for example) then either edit the "install" script before running it, or simply edit your shell rc file after running the install script.
##############################################################################
# Copyright (C) 2000, 2001 Michael B. Rash (mbr@cipherdyne.org)
# Licensed under the GNU General Public License
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#############################################################################
Download
