An active response script for OSSEC that sends an email to the abuse contact of the offending IP.
- host,dig,whois,mailx *nix programs
- Perl Net::DNS CPAN module
The script uses abuseEmail.pl which was originally coded by Guillaume Filion guillaueme@filion.org http://logidac.com/abuseEmail/ I have updated abuseEmail.pl to remove some old reserved IP address ranges.
I have tested the script over my list of offending IPs' (3000 over the last 2 months) and it has a succes ratio of about 70% in finding the abuse email contact.
- Download the two scripts
su root cd /var/ossec/active-response/bin wget https://github.com/iam1980/ossec-email-abuse/raw/master/abuseEmail-1.1.3.pl --no-check-certificate wget https://github.com/iam1980/ossec-email-abuse/raw/master/email-abuse.sh --no-check-certificate chmod 500 abuseEmail.pl chmod 500 email-abuse.sh chown root.ossec abuseEmail.pl email-abuse.sh
- Test that abuseEmail.pl is working
./abuseEmail-1.1.3.pl 207.97.209.147
The return should be "abuse@rackspace.com 1" If you get any errors, load up any libraries that are missing.
- Edit email-abuse.sh and change
### CHANGE THESE VARIABLES TO YOUR SETUP EFROM="abuse@mydomain.com" ESUBJECT="Unauthorized access attempt from $IP" ENAME="Your Name" EDOMAIN="mydomain.com" ECONTACT="myemail@mydomain.com" ###
- Edit /var/ossec/etc/ossec.conf and add
<command>
<name>email-abuse</name>
<executable>email-abuse.sh</executable>
<timeout_allowed>no</timeout_allowed>
<expect>srcip</expect>
</command>
<active-response>
<!-- send an email to the abuse contact of the
- offendingIP
-->
<command>email-abuse</command>
<location>local</location>
<level>6</level>
</active-response>- Restart OSSEC
service ossec restart