/*
 * Scandetd is daemon which tries to recognize port scanning. 
 * If it happens daemon sends e-mail to root@localhost  (by default) 
 * with following informations:
 * 
 * time 
 * host  
 * how many connetctions was made
 * port of first connection and port of last connection
 *
 * compile: gcc scandetd.c -o scandetd
 *
 * author: Michal Suszycki	mike@wizard.ae.krakow.pl
 *
 * You can change few define's and variables below this comment to tune
 * scandetd to your needs.
 *
 * If you have some problems with compiling try to  
 * change 2 lines:
 * #include <netinet/ip.h> to #include <linux/ip.h>
 * #include <netinet/tcp.h> to #include <linux/tcp.h>
 *
 * This code was based on IpLogger Package by Mike Edulla (medulla@infosoc.com)
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 1, or (at your option)
 * any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
//#include <netinet/ip.h>
#include <linux/ip.h>
//#include <netinet/tcp.h>
#include <linux/tcp.h>
#include <time.h>
#include <signal.h>
#include <string.h>

extern int errno;


/* how many hosts should I remember. If your server is heavily loaded it's
   good idea to increase this number a little bit
*/
#define HOW_MANY 6

/* how many connections should I recognize as scanning? */
#define SCAN 25

/* uncomment this to enable printing to log files scan warnings (using syslogd) */
//#define DOSYSLOG

/* uncoment this if you want to log every connection attempt (using syslogd) */
//#defind LOGCON

/* here you can define special port you want to ignore:
   if 'scanning' started and ended on the same port and this port is equal
   to NOPORT then 'scanning'  will be ignored. If you  notice for example that
   your server get a lot of fast connections (from one host) to www port you 
   can define NOPORT to 80 so there will be no false warnings 
*/ 
#define NOPORT 80

/* 
   If next connection arrived right after the previous one we have to count it.
   Default time is 1 second.
*/
#define SEC 1

/* We use this port for sending mail */
#define MAILPORT 25

/* we send mail to <user@host>: */
char *mail_to = "<root@localhost>";

/* IP of the machine which sends our mail */
char *mail_host = "127.0.0.1";

/* mail will be send from host: */
char *from_host = "localhost";


/* ----------- end of user's configuration  ---------------- */

#ifndef NOFILE
#define NOFILE 1024
#endif


char *hostlookup(int i)
{
	static char buff[256];
	struct in_addr ia;
	struct hostent *he;
	ia.s_addr = i;
	
	if (!(he = gethostbyaddr((char *)&ia, sizeof ia, AF_INET)))
		strncpy(buff,inet_ntoa(ia),sizeof buff);
	else
		strncpy(buff,he->h_name,sizeof buff);
	return buff;
}

char *servlookup(unsigned short port)
{
	struct servent *se;
   	static char buff[256];
      
   	se=getservbyport(port, "tcp");
   		if(se == NULL) sprintf(buff, "port %d", ntohs(port));
       		else sprintf(buff, "%s", se->s_name);
	return buff;
}
		  


struct ippkt{
	struct iphdr ip;
	struct tcphdr tcp;
} pkt;

struct host{
	unsigned int from;
	time_t t;
	time_t start;
	unsigned short low_port;
	unsigned short hi_port;
	int count;
} hosts[HOW_MANY];

void demonize()
{
	int fd, f;
	
	if (getppid() != 1){
		signal(SIGTTOU,SIG_IGN);
		signal(SIGTTIN,SIG_IGN);
		signal(SIGTSTP,SIG_IGN);
		f = fork();
		if (f < 0)
			exit(-1);
		
		if (f > 0)
			 exit (0);

	/* child process */		
	setpgrp();
	for (fd = 0 ; fd < NOFILE; fd++) close(fd);
	chdir("/");
	umask(0);
	return;
	}
}	


void init()
{
    int i;
    time_t now;
    now = time(NULL);
    for (i = 0; i < HOW_MANY; i++)
	hosts[i].t = now;
}

int allocate(int *p, unsigned int addr)
{
	int i, v = 0;
	time_t tmp = hosts[0].t;
	for( i = 0; i < HOW_MANY; i++){
		if (hosts[i].t <= tmp) {
			tmp = hosts[i].t;
			v = i;
		}
		if (hosts[i].from == addr){
			*p = 1;
			return i;
		}
	}
	*p = 0;
	return v;
}

// only for debugging 
void show(int a)
{
	int i;
	
	for (i = 0; i < HOW_MANY; i++){
		printf("Host %s, time %ld, count=%d, l=%d,",
			hostlookup(hosts[i].from),hosts[i].t, hosts[i].count,
			ntohs(hosts[i].low_port));
		printf("hi = %d\n",ntohs(hosts[i].hi_port));
	}		
	exit (0);
}

void no_zombie(int i)
{
	wait(NULL);
}

int send_mail(struct host *bad)
{
	static struct sockaddr_in sa;
	int s, i, low, high;
	char buf[1024], combuf[256];
	
	char *comm[] = { "HELO ", 			from_host,
			 "MAIL FROM: SCANDETD@",	from_host,
			 "RCPT TO:"		,	mail_to,
			 "DATA"			,	" "
			};
	
	i = fork();
	
	if (i < 0) return -1;
	if (!i) return 0;
	
	low = ntohs(bad->low_port);
	high = ntohs(bad->hi_port);
	sprintf(buf,"%sPossible port scanning from %s,\n"
		"I counted %d connections.\nFirst connection was made on %d port and the last one on %d port.\r\n.\r\n",
		ctime(&bad->start),hostlookup(bad->from),bad->count, low, high);
					

	sa.sin_port = htons(MAILPORT);
	sa.sin_family = AF_INET;
	if ((sa.sin_addr.s_addr = inet_addr(mail_host)) == -1)
		exit (-1);
	
	bzero(&sa.sin_zero, 8);
	if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0)
		exit (-1);
	
	if (connect(s,(struct sockaddr *) &sa, sizeof (struct sockaddr)) < 0)
		exit (-1);
	
	for (i = 0; i < 8 ; i += 2){
		sprintf(combuf,"%s%s\n",comm[i],comm[i+1]);
		if (write(s,combuf,strlen(combuf)) < 0 ){
			close(s);
			exit(-1);
		}
		sleep(1);
	}
	if (write(s,buf,strlen(buf)) < 0) exit(-1);
	sleep(1);
	if (write(s,"QUIT\n",5) < 0) exit (-1);
	
	close(s);
	exit(0);
}
	

void main(int argc, char **argv)
{
	int s, index, was;
	time_t now;
	
	demonize();

	init();
	s = socket(AF_INET, SOCK_RAW, 6);

#ifdef DOSYSLOG
	openlog("scandetd", 0, LOG_LOCAL2);
	syslog(LOG_NOTICE,"scandetd started and ready");
#endif
//	signal(SIGINT,show);
	
/* to avoid zombies */
	signal(SIGCHLD,no_zombie);

	while(1){
		read(s, (struct ippkt*) &pkt, sizeof(pkt));
		now = time(NULL);
		
		if (pkt.tcp.syn == 1 &&  pkt.tcp.ack == 0){
		
#ifdef LOGCON
			syslog(LOG_NOTICE,"%s connecion attempt from %s",
				servlookup(pkt.tcp.dest),
				hostlookup(pkt.ip.saddr)
				);
#endif	
			index = allocate(&was,pkt.ip.saddr);
			
			if (!was){
				if (hosts[index].count >= SCAN
#ifdef NOPORT				
					&& hosts[index].low_port != htons(NOPORT)
					&& hosts[index].hi_port  != htons(NOPORT)
#endif
					){
					send_mail(&hosts[index]);
#ifdef DOSYSLOG			
				syslog(LOG_NOTICE,"Possible port scanning from %s",
					hostlookup(hosts[index].from));
#endif
				}
				hosts[index].from = pkt.ip.saddr;
				hosts[index].low_port = pkt.tcp.dest; 
				hosts[index].hi_port = pkt.tcp.dest;
				hosts[index].count = 1;
				hosts[index].t = now;
				hosts[index].start = now;
				continue;
			}
		
	/* if this connection was right after previous we must count it */
			else if (now - SEC <= hosts[index].t){
				hosts[index].count++;
				hosts[index].hi_port = pkt.tcp.dest;

			}
		hosts[index].t = now;
		}
	}
}