Gotham Remote Logins Monitoring System
In order to detect abused credentials, CERN is running a remote login monitoring system, called Gotham. This systems compares, for each user, the location of remote logins with the user’s past behaviour, notifying them of any new location. Unfortunately, the design and code used by this system is outdated and requires a complete rewrite.
The requirements of this projects are:
Build a system with the same features as the existing one, but without any dependency on old CERN libraries (e.g. perl-LC), which would include:
◦ Pulling data from a login database (running an hourly cron-job)
◦ Enriching the data with geolocation and domains
◦ Support for whitelisting, in particular for CERN IPs
◦ Maintaining a ‘known location’ database
Build a Command Line Interface (CLI) for administrator to manually list or remove locations for users
Add support for IPv6 (currently unsupported)
Design a new system running in real-time streaming mode (instead of using an hourly cron-job) by running the code in an Apache Spark (http://spark.apache.org/) cluster and pulling data from Apache Kafka (http://kafka.apache.org/). Special care should be taken to ensure that no data is lost in case of crashes.
In addition, extensions of this project can be considered:
A SSO-enabled web front-end, allowing CERN users (and the CERN Computer Security Team) to review their known login locations.
Reviewing the current location definition and evaluate alternatives. For example using ‘ISPs’ instead of ‘Organisations’, using ‘City’ geolocalization, etc
This project aims to completely rewrite the Gotham Remote Logins Monitoring System currently in use at CERN. The existing system has been written in Perl, and it makes use of some really old CERN libraries that make the system difficult to maintain. Python is a modern, widely used, high-level, interpreted programming language and, as a result, was chosen as the programming language for this project. There are a number of well-maintained open source libraries in Python that have been used for the purposes of this project,drastically decreasing the chances of security flaws in the libraries and thus simplifying the project maintenance. Apart from the equivalent functionality that was achieved with respect to the earlier version of Gotham, a number of new features have been added, like real-time processing of input login streams, a web based frontend to be integrated with the central account management page at CERN, a REST API for accessing previous login information by other applications.