Some reporting and monitoring tools are easy enough to use that I can run them as I drink my first cup of coffee. These tell me at the start of my day if there is anything to worry about on my systems. The newest tool in my first coffee arsenal is a Ruby script called where-are-they-now.rb, which monitors remote connections to the CloudPassage Halo Portal and helps me understand which are legitimate logins and which need more attention.
Systems that allow remote login present an ongoing problem: how can we tell if the user logging in is actually the person we expected? If the only required authentication is a password, couldn’t that password be captured with a keylogger on that person’s laptop and used by an attacker at a different IP address?
One of the ways to detect that this may have happened is to look at the IP addresses from which the logins originated. If I look at a particular user and see that they’ve logged in 30 times from IP address 22.214.171.124 and once from 126.96.36.199, that would raise a small flag for me. If 188.8.131.52 was at one ISP and 184.108.40.206 was at a different ISP, the flag would go up a little higher. If all but one of the attempts from 220.127.116.11 failed, it would move up even more. And if they were in different countries – and I’m pretty sure that user hasn’t been recently traveling – I’d get on the phone with them right away.
Where Are They Now? (watn)
where-are-they-now.rb is a Ruby program that summarizes the logins and attempts the Halo Portal has seen from each user. Here’s a sample report:
You can quickly see your users’ Portal login addresses. Anne Smith has only logged in from 18.104.22.168, which is in dsl1.net according to DNS. She’s logged in twice successfully in this time period, with no login failures. Once I’ve confirmed that that is her address, I’ll add it to /etc/verified-client-ips and future reports will move this to the “Verified login IPs” column.
Jeremy Parker has done most of his logins (10 out of 11) from 22.214.171.124, also from dsl1.net, and I’ve already confirmed with him that this is his home dsl address. He does have a login from the country of Wadiya, though, and I don’t remember him traveling anytime since the beginning of February. When I hover my mouse over the 126.96.36.199 address, a hover box shows that the address was used on Feb 21st, 18:11 UCT. That helps me narrow down my search to see why the account was used from an unexpected location.
The next line (jparker-yubikey) shows a secondary account for Jeremy with Yubikey authentication. Since Jeremy has confirmed that 188.8.131.52 is one of his legitimate addresses, I’ve added it to /etc/verified-client-ips and now it shows up in the “Verified Login IPs” column. Since I know that address changes frequently, I’ve added “184.108.40.206/24” to /etc/verified-client-ips as well; that brings 4 more addresses over to the “Verified CIDR blocks” column. They should be individually checked at some point, but that’s sufficient verification for now.
The “Don the daemon” icon next to 220.127.116.11 means that’s a machine that’s currently managed by Halo, as you can see down at the bottom of the report. Jeremy probably started a Remote Desktop Protocol (RDP) session to that machine to run a web browser as part of installing the daemon. The icon gives me one more clue that this is probably a legitimate source address.
Using it yourself
The program and install instructions can be found at both https://github.com/cloudpassage/cloudpassage_tools and http://www.stearns.org/watn/. Once installed it can be run on demand or nightly from cron. You can specify a starting date on the command line to only look at logins and attempts since that date, or leave that option off to see all login events.
I hope that this is useful to you too, and that each report can be reviewed long before you finish your first cup.