Keep track of weird logins with Howler

by Konstantin Ryabitsev

Howler is a small utility I wrote to be notified when my users were logging in from unusual locations. I wanted to know if someone who normally logs in from Canada was suddenly logging in from Korea -- and especially if they were suddenly rapidly hopping between two different locations. It's a red flag when someone logs in from Seattle, then from Barcelona, then from Seattle again, all within the same 4 hours, because it's a good indicator that their credentials got stolen (though usually it's because they are using Tor or their corporate VPN).

At either rate, Howler will keep a watchful eye on where your users are coming from and alert you if they change locations:

This user logged in from a new location:

      User    : mricon
      IP Addr : x.x.x.x
      Location: Portland, Oregon, US
      Hostname: myhost.kernel.org
      Daemon  : sshd

Previously seen locations for this user:
      2017-04-08: Montréal, Quebec, CA

or when they start hopping:

Hopping detected for user mricon!

Locations seen in the past 12 hours (UTC):

      15:04:09: Montréal, Quebec, CA
      14:58:31: Vancouver, Washington, US
      14:51:42: Montréal, Quebec, CA
      14:44:58: Vancouver, Washington, US

It's best used on your central syslog aggregator with the help of SEC, which is a handy tool used to poll your logs and trigger actions based on matching regexes. I provide a few sample sec rules for sshd, openvpn, and gitolite.

tags: infosec, security