How do *you* secure your network with Perl?

Fellow monks:

Recently, this node got considered, on the pretext of being a cracking tool. (Which it may well be, although there are better portscanners out there.) I voted to keep it around, because tools like this aren't necessarily evil; white-hat crackers (samurai, tiger teams, whatever you want to call them) can use them for penetration testing, and cautious sysadmins can use them for automated network security audits.

This got me thinking: what modules do you use to keep your site secure? Most of the Security section on CPAN is crypto related, which is nice if you're a cryppie, but not so nice if you just want to keep track of the number of portscans you've had this week. Clearly, we'll have to go elsewhere to find more practical security tools.

What modules do you throw together to keep the black hats away?

-- :wq

Comment on How do you secure your network with Perl?

Replies are listed 'Best First'.
Re: How do you secure your network with Perl? by zengargoyle (Deacon) on Mar 26, 2002 at 23:37 UTC
using the SNMP module from the UCD SNMPv3 Library. I have a process that recieves traps from routers (actually forwarded traps from yet another processor). ANY non-management machine that causes an Authentication Failure (SNMP/Telnet/rsh/ssh) gets it's port disabled. (evil grin). using CISCO Netflow/OSU Flow Tools and the Cflow module we search for scanners/DOSers/misconfigured hosts and (you guessed it...) disable them.	[reply]
Re: How do you secure your network with Perl? by dws (Chancellor) on Mar 27, 2002 at 06:33 UTC
For a while I had a Perl script that would scan various logs, and send a text message to my cell phone if it saw anything interesting. That lasted two days. "Interesting" quickly became uninteresting, given the number of script kiddies who were probing my home Linux box.	[reply]
Re: How do you secure your network with Perl? by fuzzyping (Chaplain) on Mar 27, 2002 at 06:11 UTC
It's a relatively minor use of Perl, but I constructed a script using Digest::MD5 to track and ensure integrity of my chkrootkit binaries. I'm using this as a double-layer of trust to make sure that nobody modifies the existing chkrootkit binaries (which, in turn, monitor my system binaries for rootkit activity). One obvious use for Perl in a network security setting would be an IDS (or NIDS), where Perl's excellent pattern matching capabilities would help to match packet fingerprints, but this is already handled capably by the likes of Snort. Unfortunately, I just don't see Perl scaling to the same performance levels as Snort. -fuzzyping	[reply]
Re: Re: How do you secure your network with Perl? by Rhose (Priest) on Mar 27, 2002 at 14:58 UTC
While you could write an IDS in perl, I am pretty sure any link with much activity would cause the PerlIDS(tm) to drop packets. However, a better use for perl in your IDS implementation is in the role of analysis scripts. Your IDS implementation should probably consist of one or more "quick and dirty" systems -- snort (or your IDS of choice) with fewer rules, and one or more analysis machines. Perl excels in the analysis role -- processing "historical" data.	[reply]
(shockme) Re: Re: Re: How do you secure your network with Perl? by shockme (Chaplain) on Mar 28, 2002 at 03:20 UTC
On the subject of analysis (and somewhat removed from "modules"), I've had great success with Psionic's PortSentry, HostSentry and LogSentry. If things get any worse, I'll have to ask you to stop helping me.	[reply]
Re: How do you secure your network with Perl? by moebius (Novice) on Mar 27, 2002 at 18:14 UTC
Along these lines I use spong (spong.sourceforge.net) to do network monitoring and some security things. It has a tripwire-like "plugin" that uses some of the crypto modules to watch for incursions. Nice, fairly featureful tool with plenty of expandability and a robust usage history.	[reply]
Re: How do you secure your network with Perl? by BlueLines (Hermit) on Mar 28, 2002 at 06:25 UTC
The method of portscanning refered to is super basic (TCP connect), and will set off IDS's everywhere. I like nmap alot, and have used it for years to scan machines (both my own and others). nmap is written in c. Last summer (during a 2 month span of unemployment), i implemented some of the scans nmap does in perl (using Net::RawIP, which is a perl binding for libpcap). I fully implemented syn, fin, xmas, and null scans in perl. I started implementing remote OS detection via TCP (what nmap is _really_ famous for), but then stopped and got interested in Xprobe, which was remote OS detection via ICMP. Then I got a job, and stopped on both projects. I still have the portscanning code sitting around; i may get around to CPAN'ing it, although it's incredibly slow in comparison to similar code written in c. BlueLines Disclaimer: This post may contain inaccurate information, be habit forming, cause atomic warfare between peaceful countries, speed up male pattern baldness, interfere with your cable reception, exile you from certain third world countries, ruin your marriage, and generally spoil your day. No batteries included, no strings attached, your mileage may vary.	[reply]