Use Slack to show your Systems are constantly Under Siege by Bad Actors like “Steven Seagal”.

This article does not refer to individuals who can’t act. Instead, refers to someone who attempts to infiltrate a system with malicious intent.

A common attack vector is to brute force their way in by guessing an account password systematically. There are various ways to deploy countermeasures, such as Intrusion Detection Systems or fail2ban which are both effective.

Their attempts to probe your network can be made highly visible using TCP wrappers and integrating it with your instant messaging system, in this case Slack. Your stakeholders suddenly become aware that systems are constantly under siege (pun intended) and your security regime and policies are there for a very good reason.

In this example (figure 1), an incoming ssh connection is intercepted by TCP wrappers. The incoming IP address is geographically located and based on a whitelist of allowed countries, are permitted to establish the connection. You could also use fail2ban to filter by geolocation, however this method using TCP wrappers makes unauthorized sshd connections highly visible.

If an IP address is deemed to be from an unauthorized country, the information is broadcasted to a #bad_actors Slack channel in a fun but serious way. The bad actor is actually named after a random Hollywood actor that may have won a Razzie.

Further action can be warranted to update a network access control list or firewall to drop or throttle IP address packets from known offenders. You could use this method in conjunction with fail2ban to automatically throttle or ban the bad actor.

Although a bad actor can easily circumvent this countermeasure by using a VPN or another Geographic location for entry, this is simply an extra level of protection.

How to log these “bad actors”

Figure 2 below shows how TCP wrappers and a bash (or python) script to filter connections based on the Geographic location can be used to log these events and ban repeat offenders:

The following instructions are for Ubuntu.

Check your system, in particular ssh supports tcp wrappers before commencing:

Install geoip databases:

Test it:

Create a /usr/local/bin/sshfilter.sh file:

If you are using Slack as your instant messaging system, start by setting up an incoming webhook integration in your Slack team. Copy the webhook URL and replace SLACK_WEBHOOK variable with that URL.

Update the COUNTRIES_WHITELIST variable using the two character abbreviation. For example, US is United States of America, and AU is Australia.

Make it executable:

Add this line to /etc/hosts.deny:

Add this line to /etc/hosts.allow:

Test it:

The Geo IP address database requires regular database updates. Set up a cron job to refresh the Geo IP database by creating a /etc/cron.weekly/update-geoip file:

Make it executable too:

In a short time (yes, within minutes), you should start seeing these bad actors in Slack and in /var/log/syslog.

If you want a similar Slack message as seen in figure 1, with an actual random bad actor name and the country flag of the IP address location, you will need the Python slack library and call this send_slack.py script:

Call the script, stating the channel to send to and the message must contain the two letter country code identified within brackets:

And the result in the #bad_actors Slack channel:

This article was originally published on LinkedIn: https://www.linkedin.com/pulse/bad-actors-dennis-mellican/

★★★★★

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store