In this article I give the theory about Why and How use Twitter as a real-time alert system for your systems monitoring.
by Emeric Nasi
Also the author suppose the reader have a good base about GNU Linux and security.
English is not my first language, do not hesitate to point our any "bad writing".
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
I really like Twitter. I opened my own account a few days ago. I was looking at the Twitter features. I just tough that Twitter could be used for more than public communications. A problem you may face when dealing with monitoring is the reaction time. And having real-time alerts is the big issue.
I found out Twitter’s API could be used for that, in a more secure way than classic emails.
I implemented this solution and I will present it to you using two articles.
This first article deals with the "theory" about a Twitter system alert application.
In this article I present why Twitter can be a good real-time alert system.
Next you can read how-to implement that solution on a GNU Linux computer.
I.1 Real-time alert.
Watching the daily logwatch results of your syslogs is important.
However there are some alerts that require immediate reactions. For example, if someone is playing with dnsspoof inside your network,
if one of your server is suddenly victim of a DDOS attack or if an important service like Apache crashed because of a segfault;
that is something you need to know right away.
In order to do that you have to setup a real-time alert system.
There are a few ways of doing so, you can :
- Send an email
- Display a message on a screen
- Send an sms
- Use Instant messaging
Twitter is very interesting because you can send private messages, update the public status (but you can keep your public status private).
You can set your account to receive an email for each direct message you receive (this email will contain the message text as well).
If you activate the mobile features your will also receive your private messages by sms.
So just sending an alert via Twitter direct message means :
- Send an email via Twitter
- Send an sms via Twitter
- Have the alert on your Twitter private messages page
I.2 Circumvent firewall restrictions
I have a friend who is admin system for an international company. He often complains about the company firewall in Japan.
This firewall blocks most of the traffic (including smtp) and he has to log himself by ssh each time he has to monitor the Japanese servers.
This case shows that using emails or other standards to monitor the system logs is not always possible.
Twitter API is based on HTTP and uses ports usually accepted in the OUTPUT rules of port-based firewalls.
If you have a webmail associate with your Twitter account, you can consult your alerts as emails without using the smtp protocol on your network.
Easy monitoring of a bunch of servers means you do not want to connect by ssh to every servers. You can use
remote syslogs, emails or other solutions that will send any log/alert into only one machine and accessible using one account.
This implies that the data are transmitted securely. They should be encrypted using a TLS (SSL) or a SSH tunnel.
A more secure solution is to encrypt and use a public key authentication so that the passwords are never transmitted over the network.
The access to twitter API uses the secure protocol OAuth. Moreover all calls to the API are wrapped by SSL tunneling.
Citation from the OAuth beginner’s guide :
OAuth allows you to share your private resources (photos, videos, contact list, bank accounts)
stored on one site with another site without having to hand out your username and password.
OAuth has become an Internet security standard (RFC 5849) and has a very interesting approach of
secured services and resource sharing.
We will talk more about OAuth in the next section.
II How ?
In fact we can identify two distinct entities.
1 - A real-time alert system
2 - A program that can authenticate trough Twitter over OAuth and use the Twitter API.
II.1 A real-time alert system.
We need a tool that can watch logs and other files and call the Twitter capable program.
This tool must only be a log watcher and not the tool that generates the logs.
It is better to have a finest modularity on our system.
You want to use the Twitter alert system to get real-time notice of critical hacking attempt.
The tool generating the logs could be an IDS like snort or it could be iptables log.
The real-time alert tool could be swatch, configured to watch /var/log/messages and action
an alert each time it finds the string "Priority: 1" (snort maximum alert level).
II.2 A Twitter capable program
Because this program doesn’t exit yet, I am going to write one.
Let’s call this program "The bird sentinel" !
What language can we choose?
Twitter API can be manipulated using most programing language (java, python, perl, ruby, php, .Net, etc.).
Because we are on Linux we can forget DotNET!
We want to write a security application with minimum features, so it should be a console application
and it shouldn’t require a server to run (so exit php and other web languages).
What features ?
The program "The bird sentinel" doesn’t need a lot of features, he must :
- Be able to follow the Twitter/OAuth workflow
- Be able to send direct messages using Twitter API
II.3 About the OAuth workflow
OAuth is a secure way to access the Twitter API. There is also a basic authentication system but it is insecure and deprecated (it will be removed from the API in june 2010).
You should really read The beginner’s guide to OAuth to understand OAuth.
Here is an adaptation of the OAuth workflow to Twitter (I use OAuth terms) :
The Twitter account’s owner is the "User", in our case it is also "The bird sentinel" programmer.
Twitter is the "Service provider"
"The bird sentinel" application is the "Consumer"
1 - The User/programmer logs on his Twitter account and register "The bird sentinel"
2 - Twitter generates a consumer key and a consumer secret for "The bird sentinel". The programmer will use them in his program.
3 - The bird sentinel asks Twitter for an "Access token" using his consumer key.
4 - The User has to log on his Twitter account and accept to share his account with "The bird sentinel"
5 - Twitter sends an Access Token and an Access Token secret to "The bird sentinel"
6 - "The bird sentinel" can now use the Twitter API using his Access Token.
Monitor real-time alerts over Twitter is possible. It implies a real-time alert system and a Twitter capable program.
We have everything setup, we can now implement this solution!