[Intrusions] SSH brute forcers

C.J. Steele coreyjsteele at yahoo.com
Wed Jun 1 02:23:42 GMT 2005 

Spot-on Donald!  Inspired by your admonishment, I've hacked together a
quick shell script to automatically do this for me... see below.  If
anyone has any questions, do feel free to e-mail me.

Please bare in mind that this isn't going to be comprehensive, but it
is a fair start.  If anyone would like to collaborate on a more
comprehensive solution, again, do feel free to e-mail me.

Cheers!
-C


#!/bin/sh
# rptbdgys by C.J. Steele, CISSP <coreyjsteele at yahoo.com>
#
# this quick script goes through /var/log/messages and pulls out hosts 
# that have been trying to brute-force attack my box and automatically 
# e-mails the persons responsible for their whois zones.
#
# your mileage may vary, depending on your log configuration and 
# execution environment...make sure you have standard tools like grep, 
# awk, sed, whois, and mail in the $PATH of whatever is executing this.
#
# NOTE: populate /tmp/sshbfmsg with whatever nasty-gram you want to 
# send to the responsible parties... 
#

offenders=`grep sshd /var/log/messages | grep rhost | awk {'print $13'}
| sed -e s/rhost\=// | sort | uniq`

for host in $offenders; do

  offip=`host $host | awk {'print $4'}` 
  if [ "$offip" != "" ]; then
    for email in `whois $offip | grep "e-mail" | awk {'print $2'}`; do
      if [ "$email" != "" ]; then
        mail -s "sshd brute-force attack" $email < /tmp/sshbfmsg
      else              
        echo no e-mail available for $offip ($host)
      fi                
    done        
  else  
    echo no dns for $host
  fi    

done



--- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> I must echo Scott's question and make a comment.
> How many of the bruteforce ssh IPs do you report to the ISPs?
> 
> My comment is we as a community are FAILING!
> Every bruteforce password guessing sshd attempt I have tracked/seen
> went
> to a host that was compromised via bruteforce password guessing. I
> think
> this continues to grow because we don't report them soon enough. If
> you
> get a host attempting brute force sshd you should report it asap. It
> is
> not spoofed. If we report enough of them eventually we should run
> into
> the first hop system. From that system the actual hacker could be
> traced.
> 
> We as a community should be able to quickly report and respond to
> these
> if we did we would be winning rather then loosing this battle.
> 
> I know there are lots of ways to automatically turn these away with
> syslog to ipfilters and other similar "ips" like tools. Perhaps a
> good
> autoreporting tool could assist us in this effort.
> 
> 
> donald.smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org 
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott
> Mcintyre
> > Sent: Monday, May 30, 2005 2:11 PM
> > To: Intrusions List (GCIA Practicals)
> > Subject: Re: [Intrusions] SSH brute forcers
> > 
> > 
> > How many of the ips do you actualy report to the isps?
> > 
> > BruteForcing in general should not be much of a problem, 
> > install brute 
> > force detectors, theres lots out there.  Even if someone does brute
> 
> > force you for a reason, you should not have anything to worry about
> 
> > providing you use strong passwords.
> > 
> > > WOOOHOOO.  Its getting to the point that the SSH brute 
> > force attmepts
> > > on the 2 servers I am working on atm are coming at 4 to 8 times a
> 
> > day,
> > > no reasoning behind the number of attempts yet either.
> > > 
> > > Jim McCullough
> > > 
> > > On 5/28/05, DHoelzer at cyber-defense.org
> <DHoelzer at cyber-defense.org> 
> > wrote:
> > > > I've been automatically shunning SSH brute forcers for several 
> > months now
> > > > but I've recently decided to become a bit more aggressive.  I
> am 
> > now
> > > > publishing a blacklist populated by known SSH 
> > bruteforcing sources 
> > on my
> > > > site that is updated every minute based on my own detects from 
> > several
> > > > sites.  If you have any addresses to contribute please send
> them 
> > my way.
> > > > Feel free to grab a copy of the list if you want to populate
> your 
> > ACLs
> > > > which is what I'm doing for my customers.
> > > > 
> > > > Best regards
> > > > -----------------------------------------------------
> > > > David Hoelzer
> > > > Cyber-Defense.org
> > > > http://www.cyber-defense.org/CV.html
> > > > _______________________________________________
> > > > Intrusions mailing list
> > > > Intrusions at lists.sans.org
> > > > http://www.dshield.org/mailman/listinfo/intrusions
> > > > 
> > > 
> > > 
> > > -- 
> > > Jim McCullough
> > > 
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > > 
> > 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 

--
C.J. Steele, CISSP <coreyjsteele at yahoo.com>

More information about the Intrusions mailing list