ComServe IT-Services Think IT, Plan IT, Do IT!

Nav view search

Navigation

Watcher (engl.)

... the real-time intrusion detection system and  superordinate firewall manager
 
Watcher Base logo
 
Why wait until attackers get
 
through to your services ?
 

 
What is Watcher? ... and what it is NOT?
 
Watcher is a security tool-set for networked Linux server systems that provides real-time intrusion detection and efficiently locks-out malicious attackers from access to the server by putting firewall DROPs into the firewall - as well in real-time.

Watcher is not a network analysis tool-set to analyse ethernet packages in all detail that are going in and out from the server system as this is not needed for the purpose. Much analysis takes much processing time and when facing attacks like 'brute-force attacks' where attackers flood a service on a server in milli-seconds processing time is a preciuos resource if proactive reaction in real-time is the demand.

"Do one thing and do it well"  ... is the secret for performance and reliability.
 
Documentation for revision 1.2 [Draft] is available in the public  download area: 
 

 
Watcher fills your firewall lightning-fast at machine start-up or after reboot from:
  • Static lists (individual blacklists and a whitelist; manually maintained)
  • DynLoaders (from common public resources like 'SpamHaus' & 'NixSpam'; included with the master)
  • Optional Watcher modules (Login, Mail transport [MTA] & Mailbox access [POP, IMAP])
    Modules are working fully dynamic and provide intrusion detection in real-time. The attacking events are tracked and stored in databases  that are excllusive to each module.

Dynloaders for SpamHaus & NixSpam are included with the master-package at no charge.

The modules are 'packages' that can be bought separately.
Modules are dynamically fed by the system logger (rsyslog or syslog-ng). The modules analyse logging messages in real-time,  keep track of attackers in databases and feed the firewall autonomously with DROPs as 'bandits' reach configurable limits of attacking your server system.


startscreen
(Start-up screen if manually [re]started)

 

On start-up Watcher can flush-load your firewall at rates of 10,000 DROPs per second or far more depending on the power and/or load state of your server. I have seen rates of over 22.000 DROPs per second on a VPS (i7, 2 cores) in phases of low system load.
  • Watcher does not need any special runtime environments for fancy 3rd-party programing languages like PERL, JAVA, PYTHON, LUA, RUBY, etc. So there is no need to install and maintain development tools, runtime environments onto a server system.

  • Watcher is fully based on 'onboard tools' (bash, awk, grep, etc.) that are common for every unixoid operating system and are present out-of-the-box after system installation on a server system.

  • All programs & tools are 'self-aware'; i.e. every component always 'knows' where it was started in relation to the install path. So the entire program-system can be installed whereever you like or can even be moved around  to your taste and needs.

 

What's the audience  for Watcher?

Everyone who has to operate a Linux-based 'root server' (physical or VPS)  in a data center with 'rental servers' from a provider.These are usually running as 'exposed hosts' and are not protected by any external firewalling appliance. The provider leaves the protection up to you, since he cannot know which type and range of protection is needed for the purpose that you operate your server for.

Also servers that are running in the DMZ of a usual data center situation can take benefit from Watcher; e.g. mail servers, that are the primary targets for attackers,  SPAM spreaders and high-jackers.

 

What does Watcher do for you?

  • Watcher cuts down the attack rate of certain services on your server by a factor of 100 or even more. So it protects your server (and the services in particular) from DDoS (Distributed Denial-of-Service) attacks very efficiently.
  • Frequently downloading the drop & edrop lists from 'SpamHaus' and integrating them into your firewall prevents your server from 'highjacking attacks' and cases of 'IP spoofing'
  • The module WatchLG automatically tracks break-in attempts in real-time in a database at login level and prevents your system from being brought under control of attackers.
  • Using the module WatchMX for a mail server tracks your mail server log in real-time and prevents the mailserver from dealing with SPAM spreaders, so that the mail server (e.g. PostFix) and mailbox services (DBmail, DoveCot, ...) can do their job undisturbed.

 

What else?

  • "Watcher-Report" provides you with frequent reports of the firewall state, dynloader provisioning and the database state of the fully dynamic modules that are installed.
  • For long-term reporting separate 'statistics reports' from the 'Stat tools'  of the module databases will get you an overlook of the efficiency of all the measures that you have taken. The statistics data is provided in CSV format so can you can simply load it into a spreadsheet of your choice.
  • Frequent database expiration (configurable) in the modules keeps the firewall entries at a reasonable level, since a firewall that is flooded with pointless and hypothetic IP addresses can slow down your network traffic badly.
  • The modules store only IP addresses for firewall DROPs of IP addresses, that are really attacking your system

 

Starting with Watcher release 1.0 the system was modularized; i.e. broken up into:

  • Watcher master (framework & library for dynloaders & modules)
  • WatchLG (login tracker module)
  • WatchMX (mail services tracking module with a companion process WatchMB
    that takes care of break-in affairs to mailbox accounts [POP & IMAP] and mail transport requests
    that are protected with credetials; e.g. by SASL)
  • The DynLoaders (CRON controlled) are from the early days of the Watcher project and are re-worked these
    for better integration with the modularized concept. They are included in the master package at no charge
    as they are really handy for basic mail server protection and high-jacking prevention.

 

Overall Arch
 

 

What makes the modules so different?

  • Each module runs autonomously if once started by the master.
  • Modules are directly (syncronously) fed by the system logger and track attacks in real-time.
    So detection & measure happen within milli-seconds at the moment of the attack.
  • Modules store the attack event and measure in a database to fully restore the firewall within seconds after start-up & reboot.
    Due to the enormous load speed it makes sense to restart 'watcher' from crontab on a regular basis; e.g. once a day or even every hour.
    This keeps the 'in memory' firewall clean and compact for best performance.
  • Each module provides an open 'inject interface' provided as a FIFO (named pipe) in /tmp/WatchXX (where XX is the module token 'LG' or 'MX' respectively)


IP addresses are not just IP adresses ...

In the Watcher concept IP addresses get 'classified' by the way of which they relate to DNS-Resolution and Reverse-DNS-Resolution. An IP address that does not resolve to a DNS name from a DNS request (with 'nslookup', 'host', or 'dig') is a so-called NXDOMAIN (Non-eXistend domain): i.e. the IP address is not registered by any DNS - which makes the address suspicious.

If a DNS name could be resolved but the reverse resolution does not resolve to the requesting IP address this is a case of a FAKEHOST which is even more suspicious and in all probability a case of 'IP spoofing'.

Only if an IP address can be resolved to a DNS name and the reverse resolution of the name resolved to the IP address of the request the IP address is classified as TRUEHOST - which is still not a sign of trust, since a TRUEHOST might have  been hacked and  brought under control of an attacker ...

Requests from NXDOMAINs & FAKEHOSTs get their event counters preset to MAXAFFAIRS-1; i.e. they are shot by a firewall DROP on 2nd affair. NXDOMAINs don't have any legal business to do on mail servers (MTAs) anyway, since MTAs are not 'open relays' for anyone to send-in email messages. And FAKEHOSTs are suspicious all over the place and get the same treatment than NXDOMAINs: Dead on 2nd attempt ...

Log excerpt 
(excerpt from a module log; here WatchLG)

 

With Watcher Version 1.2 the 'dynamic rule system' was introduced.

The rules are no longer 'hard coded' in the module's code but are in a sub-directory named  'rules' in separate "*.rule" files. These files are 'assembled' into a 'filter block' every time the module is started. This way -and in particular the MX module- can be adapted to any MTA (postfix, exim, qmail, etc.) and mailbox service (DBmail, dovecot, etc.) of choice.

The supplied rule-sets in the distribution are ready-made for:

  • sshd                    (LG module)
  • postfix & DBmail (MX/MB module)

For other services the rules can easily be changed by just modifying the 'Pattern' variable in the rule's heading:

RULE="NXdomain"
Pattern=': connect from unknown\['
#--------- Don't change below --------------------------------
result=`echo "$REPLY" | grep -E "($Pattern)"`
if [ ! -z "$result" ]
then : echo "------- Matched rule $RULE --------"
inject
return $?
fi
#-------------------------------------------------------------

 

What is needed to run Watcher ??

As said in the introduction Watcher works based on 'on-board tools' and is targeted to Linux flavours of UNIX systems. So the GNU renditions of the system tools must be availalble. Namely: bash, awk, grep, sort & sed are essential to operate Watcher.

Also the firewall management is based on 'iptables' and since V1.2 'ipset' is involved.

Watcher does not work with "firewalld' (as of revision 1.2)

In addition 'ipcalc' is used for IP address validation to supress that junk gets stored for an attacker. If 'ipcalc' is not avalable for your particular system there is a substititute supplied in the download area.

To run any of the modules 'sqlite3' is needed to run a module as modules count attack events in a database and store event-type, event-date, ip address and other information in the database for fast retrieval during processing.

 

How can you get Watcher??

Watcher does not have a price - it is given away for a small 'protection fee' as a sign of your appreciation.

  1. In the first step register as a user on the main page https://comserve-it-services.de
  2. Watch your mailbox and reply to the confirmation email to finish the registration process
  3. Log in to the site and then simply order your Watcher products straight through the online shop by pretending a usual order process.  After payment of the 'protection fee' you will receive a usual invoice with the download link(s) for the chosen products in the invoice. Just click on these to accomplish the download ...
  4. We recommend to use PayPal, since this will speed-up the processing so that it just takes seconds and is fully automatic.
    (If you have chosen 'bank transfer' it takes the time that we need to recognize and manually confirm the payment)

With payment of the 'protection fee' you will also get access to the support area at https://watcher.comserve-it-services.de 

In the support area you can find:

  • a Forum to discuss your experience with other users and you may ask questions to get help.
  • an Issue tracking system where you can drop a ticket that describes any problems you have got.

Updates of Watcher will be available in the download area as they are released under "Support ⇒ Downloads"  on the main page for registered users that have ordered the product and have payed the protection fee.

 

Have any questions ??

If anything is unclear to you just use the contact form in the menu  (under "Info ==> Anfrage" in the German section or "Contact form" in the English section) and provide us with your request. We will answer your request as soon as possible.

Dieses System verwendet Cookies, weil das für den Betrieb eines Online-Shops unverzichtbar ist. Ich verstehe, dass Cookies auf meinem Computer Notizen über den Kontakt mit der besuchten WEB-Seite(n) hinterlegen und akzeptiere dies.