[Intrusions] SSH brute forcers

Smith, Donald Donald.Smith at qwest.com
Wed Jun 1 19:26:22 GMT 2005 

CJ good work.
I would add a specific PATH statement to prevent tainting and maybe some
vars for the log location.


donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of C.J. Steele
> Sent: Tuesday, May 31, 2005 8:24 PM
> To: Intrusions List (GCIA Practicals)
> Subject: RE: [Intrusions] SSH brute forcers
> 
> 
> Spot-on Donald!  Inspired by your admonishment, I've hacked together a
> quick shell script to automatically do this for me... see below.  If
> anyone has any questions, do feel free to e-mail me.
> 
> Please bare in mind that this isn't going to be comprehensive, but it
> is a fair start.  If anyone would like to collaborate on a more
> comprehensive solution, again, do feel free to e-mail me.
> 
> Cheers!
> -C
> 
> 
> #!/bin/sh
> # rptbdgys by C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> #
> # this quick script goes through /var/log/messages and pulls 
> out hosts 
> # that have been trying to brute-force attack my box and 
> automatically 
> # e-mails the persons responsible for their whois zones.
> #
> # your mileage may vary, depending on your log configuration and 
> # execution environment...make sure you have standard tools 
> like grep, 
> # awk, sed, whois, and mail in the $PATH of whatever is 
> executing this.
> #
> # NOTE: populate /tmp/sshbfmsg with whatever nasty-gram you want to 
> # send to the responsible parties... 
> #
# I would add a path statement to address trojaned path/binaries local
exploit issues
#perhaps a few variables for things like log directory
LOGDIR=/var/log
LOGNAME=messages
PATH=/sbin:/bin:/usr/sbin:/usr/bin
> offenders=`grep sshd $LOGDIR\$LOGNAME | grep rhost | awk 
> {'print $13'}
> | sed -e s/rhost\=// | sort | uniq`
> 
> for host in $offenders; do
> 
>   offip=`host $host | awk {'print $4'}` 
>   if [ "$offip" != "" ]; then
>     for email in `whois $offip | grep "e-mail" | awk {'print $2'}`; do
>       if [ "$email" != "" ]; then
>         mail -s "sshd brute-force attack" $email < /tmp/sshbfmsg
>       else              
>         echo no e-mail available for $offip ($host)
>       fi                
>     done        
>   else  
>     echo no dns for $host
>   fi    
> 
> done
> 
> 
> 
> --- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> > I must echo Scott's question and make a comment.
> > How many of the bruteforce ssh IPs do you report to the ISPs?
> > 
> > My comment is we as a community are FAILING!
> > Every bruteforce password guessing sshd attempt I have tracked/seen
> > went
> > to a host that was compromised via bruteforce password guessing. I
> > think
> > this continues to grow because we don't report them soon enough. If
> > you
> > get a host attempting brute force sshd you should report it asap. It
> > is
> > not spoofed. If we report enough of them eventually we should run
> > into
> > the first hop system. From that system the actual hacker could be
> > traced.
> > 
> > We as a community should be able to quickly report and respond to
> > these
> > if we did we would be winning rather then loosing this battle.
> > 
> > I know there are lots of ways to automatically turn these away with
> > syslog to ipfilters and other similar "ips" like tools. Perhaps a
> > good
> > autoreporting tool could assist us in this effort.
> > 
> > 
> > donald.smith at qwest.com giac 
> > 
> > > -----Original Message-----
> > > From: intrusions-bounces at lists.sans.org 
> > > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott
> > Mcintyre
> > > Sent: Monday, May 30, 2005 2:11 PM
> > > To: Intrusions List (GCIA Practicals)
> > > Subject: Re: [Intrusions] SSH brute forcers
> > > 
> > > 
> > > How many of the ips do you actualy report to the isps?
> > > 
> > > BruteForcing in general should not be much of a problem, 
> > > install brute 
> > > force detectors, theres lots out there.  Even if someone 
> does brute
> > 
> > > force you for a reason, you should not have anything to 
> worry about
> > 
> > > providing you use strong passwords.
> > > 
> > > > WOOOHOOO.  Its getting to the point that the SSH brute 
> > > force attmepts
> > > > on the 2 servers I am working on atm are coming at 4 to 
> 8 times a
> > 
> > > day,
> > > > no reasoning behind the number of attempts yet either.
> > > > 
> > > > Jim McCullough
> > > > 
> > > > On 5/28/05, DHoelzer at cyber-defense.org
> > <DHoelzer at cyber-defense.org> 
> > > wrote:
> > > > > I've been automatically shunning SSH brute forcers 
> for several 
> > > months now
> > > > > but I've recently decided to become a bit more aggressive.  I
> > am 
> > > now
> > > > > publishing a blacklist populated by known SSH 
> > > bruteforcing sources 
> > > on my
> > > > > site that is updated every minute based on my own 
> detects from 
> > > several
> > > > > sites.  If you have any addresses to contribute please send
> > them 
> > > my way.
> > > > > Feel free to grab a copy of the list if you want to populate
> > your 
> > > ACLs
> > > > > which is what I'm doing for my customers.
> > > > > 
> > > > > Best regards
> > > > > -----------------------------------------------------
> > > > > David Hoelzer
> > > > > Cyber-Defense.org
> > > > > http://www.cyber-defense.org/CV.html
> > > > > _______________________________________________
> > > > > Intrusions mailing list
> > > > > Intrusions at lists.sans.org
> > > > > http://www.dshield.org/mailman/listinfo/intrusions
> > > > > 
> > > > 
> > > > 
> > > > -- 
> > > > Jim McCullough
> > > > 
> > > > _______________________________________________
> > > > Intrusions mailing list
> > > > Intrusions at lists.sans.org
> > > > http://www.dshield.org/mailman/listinfo/intrusions
> > > > 
> > > > 
> > > 
> > > 
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> --
> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list