Slack-based Intrusion Detection – the easy Way

While huge companies make huge investments in regards to intrusion detection, you can do it for private purposes also the easy and low-cost way.

I want to demonstrate that setting up a baseline logging & notification system is super easy and comes with no additional cost. However, it is still highly effective and could seriously help you to detect malicious actors that were able to get access to your login credentials. My walkthrough below was tested on a standard Kali built but should work on all standard linux systems with openssh-server installed.

Problem Statement

The standard remote login procedure into Linux machines is SSH which unfortunately didn’t substitute Telnet yet most probably due to legacy environments and lack of risk awareness. While SSH provides authentication, confidentiality and integrity, it still only comes along with a username/password authentication (I omit the fact that there are multiple ways to enable 2FA for SSH – however, they do not come with a default installation hence are hardly spread). As widely known, username & password combinations could get lost, get forgotten and even stolen.

Therefore, infosec people have a tendency to “assume breach”, meaning: We have to assume that our controls are already overcame by a threat actor. Living with such a mindset make some things easier. But you still want to know when the bad guy is accessing your server system with your SSH credentials.

Walkthrough

To summarize quickly what we will do is: We will set up a slack account (free) and enable the incoming-webhook feature.

“Incoming Webhooks are a simple way to post messages from apps into Slack. Creating an Incoming Webhook gives you a unique URL to which you send a JSON payload with the message text and some options. You can use all the usual markup and attachments with Incoming Webhooks to make the messages stand out.”

Afterwards, we will setup a few lines of bash script which we will execute a slack post each time a person logs into your machine via SSH.

So let’s start:

    1. Get your free slack account here.
    2. What we need for the simple logging is the incoming-webhook feature which you should enable as stated here – it depends on you whether you want to send the messages into specific channels (perhaps useful in case we talk about a lot of machines that you want to log into slack) or to your account directly.
    3. Finally, test the webhook feature to work properly.
    4. Create the following bash file on your machine you intend to monitor and add the unique slack webhook link:
      #!/bin/bash
      read -d " " ip <<< $SSH_CONNECTION
      curl -X POST -H 'Content-type: application/json' --data '{"text":"Login on KALI detected from '$ip'"}' https://hooks.slack.com/services/XXXXXXXX/XXXXXXXXXXXXXXXX
    5. Create the following file in case you have not created it already: /etc/ssh/sshrc
      What does it do (man sshd)?

      /etc/ssh/sshrc
      Similar to ~/.ssh/rc, it can be used to specify machine-specific
      login-time initializations globally. This file should be
      writable only by root, and should be world-readable.

    6. Put a one liner link to the bash file you created earlier – now this file gets executed each time someone logs in.
    7. Test the setup – go to your slack environment and check whether the messages arrive after you login to your machine via SSH.
    8. Install the slack app on your mobile and enable the notifications – so you will get real-time notifications (as long as slack is up and running) in case needed.

Conclusion

This is easy – and can easily be reapplied to multiple machines that you use e.g. cloud-based ones etc. Furthermore, you could apply the same principle not only to SSH-based logins but also to web-based ones.

Does this prevent someone to break into your machine? No – it doesn’t. This is solely a re-active control – you will be able to at least detect an intruder after he broke into your machine and you will know for sure that your accounts are compromised. But you should build up multi-layer controls anyway such as 2FA, hardening etc. Also keep in mind that this does not help at all once your system gets compromised via an application specific vulnerability (e.g. web-based vuln)

Nevertheless, I think this could be helpful to understand your environment better and be able to detect intruders at an early stage. Sometimes the most easiest things are the most effective.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s