nfsinkhole is a Python library and scripts for setting up a Unix server as a sinkhole (monitor, log/capture, and drop all traffic to a secondary interface).
Project description
nfsinkhole is a Python library and scripts for setting up a Unix server as a sinkhole (monitor, log/capture, and drop all traffic to a secondary interface).
The default setup arguments monitor/capture all traffic. Setup arguments are provided to configure protocols, ports, rate limiting, logging, source IP/CIDR exclusions from logging, and optional packet capture.
All sinkhole events are written to /var/log/nfsinkhole-events.log. Optionally, you can enable tcpdump to output packet capture text to /var/log/nfsinkhole-pcap.log if your version of tcpdump supports packet printing; otherwise reverts to /var/log/nfsinkhole.pcap.
Features
Simple install script
Installs as a init.d/systemctl service
Service modifies iptables on start/stop, no need to persist iptables
rsyslog and syslog-ng (pending) supported
RedHat/CentOS 6/7 tested
Python 2.6+ and 3.0+ supported
Built-in support for dealing with SELinux/AppArmor
Packet capture of sinkhole traffic (printed output to log for tcpdump v4.5+)
Useful set of utilities
Detailed logging to /var/log/nfsinkhole-*
Syslog forwarding configuration (pending)
BSD license
Planned Improvements
API/class documentation
syslog-ng support (currently partially built; unused)
Tests via travis-ci/docker
Coverage via coverage.io
Exception handling overhaul
Set logging level (currently debug)
BIND/Microsoft/etc DNS server configuration documentation/examples
Monitoring use case examples
Automatic configuration for syslog forwarding
SIEM parsers/apps/plugins
Official support/testing for more OS environments
Support handling exceptions for HIPS and other endpoint security products
Intelligent handling/handshakes (inspired by iptrap - https://github.com/jedisct1/iptrap)
Links
Documentation
Release v0.1.0
GitHub master
GitHub dev
Examples
Pending
Github
Pypi
Changes
Dependencies
OS:
iptables (likely already included in base OS) tcpdump (optional - likely already included in base OS)
Python 2.6:
argparse
Python 2.7, 3.0+:
None!
Installing
Base OS (pip) – RECOMMENDED
If pip is not installed, you will first need to add the EPEL repo and install:
sudo yum install epel-release sudo yum install python-pip
RHEL/CentOS 6/7
Basic:
pip install --user --upgrade nfsinkhole python ~/.local/bin/nfsinkhole-setup.py --interface <INTERFACE> --install --pcap
virtualenv:
pip install virtualenv virtualenv nfsinkhole source nfsinkhole/bin/activate nfsinkhole/bin/pip install nfsinkhole nfsinkhole/bin/python nfsinkhole/bin/nfsinkhole-setup.py --interface <INTERFACE> --install --pcap
Base OS (no pip)
RHEL/CentOS 6
GitHub - Stable:
wget -O argparse.tar.gz https://github.com/ThomasWaldmann/argparse/tarball/master tar -C argparse -zxvf argparse.tar.gz cd argparse python setup.py install --user prefix= cd .. rm -Rf argparse wget -O nfsinkhole.tar.gz https://github.com/secynic/nfsinkhole/tarball/master tar -C nfsinkhole -zxvf nfsinkhole.tar.gz cd nfsinkhole python setup.py install --user prefix= cd .. rm -Rf nfsinkhole python ~/.local/bin/nfsinkhole-setup.py --interface <INTERFACE> --install --pcap
RHEL/CentOS 7
GitHub - Stable:
wget -O nfsinkhole.tar.gz https://github.com/secynic/nfsinkhole/tarball/master tar -C nfsinkhole -zxvf nfsinkhole.tar.gz cd nfsinkhole python setup.py install --user prefix= cd .. rm -Rf nfsinkhole python ~/.local/bin/nfsinkhole-setup.py --interface <INTERFACE> --install --pcap
Service
Once installed you need to start the nfsinkhole service.
RHEL/CentOS 6
sudo service nfsinkhole start
RHEL/CentOS 7
sudo systemctl start nfsinkhole.service
API
AppArmor
AppArmor documentation:
iptables
iptables documentation:
rsyslog
rsyslog documentation:
SELinux
SELinux documentation:
Service
Service (systemd/init.d) documentation:
syslog-ng
syslog-ng documentation:
tcpdump
tcpdump documentation:
Utilities
Utilities documentation:
Contributing
https://nfsinkhole.readthedocs.io/en/latest/CONTRIBUTING.html
Special Thanks
Thank you JetBrains for the PyCharm open source support!
Changelog
0.1.0 (2016-08-29)
Initial release
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.