[Intrusions] SSH brute forcers

Joel Esler eslerj at gmail.com
Wed Jun 1 20:22:56 GMT 2005 

Also..  whats ur sshbfmsg say?

J


On Jun 1, 2005, at 3:26 PM, Smith, Donald wrote:

> CJ good work.
> I would add a specific PATH statement to prevent tainting and maybe 
> some
> vars for the log location.
>
>
> donald.smith at qwest.com giac
>
>> -----Original Message-----
>> From: intrusions-bounces at lists.sans.org
>> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of C.J. Steele
>> Sent: Tuesday, May 31, 2005 8:24 PM
>> To: Intrusions List (GCIA Practicals)
>> Subject: RE: [Intrusions] SSH brute forcers
>>
>>
>> Spot-on Donald!  Inspired by your admonishment, I've hacked together a
>> quick shell script to automatically do this for me... see below.  If
>> anyone has any questions, do feel free to e-mail me.
>>
>> Please bare in mind that this isn't going to be comprehensive, but it
>> is a fair start.  If anyone would like to collaborate on a more
>> comprehensive solution, again, do feel free to e-mail me.
>>
>> Cheers!
>> -C
>>
>>
>> #!/bin/sh
>> # rptbdgys by C.J. Steele, CISSP <coreyjsteele at yahoo.com>
>> #
>> # this quick script goes through /var/log/messages and pulls
>> out hosts
>> # that have been trying to brute-force attack my box and
>> automatically
>> # e-mails the persons responsible for their whois zones.
>> #
>> # your mileage may vary, depending on your log configuration and
>> # execution environment...make sure you have standard tools
>> like grep,
>> # awk, sed, whois, and mail in the $PATH of whatever is
>> executing this.
>> #
>> # NOTE: populate /tmp/sshbfmsg with whatever nasty-gram you want to
>> # send to the responsible parties...
>> #
> # I would add a path statement to address trojaned path/binaries local
> exploit issues
> #perhaps a few variables for things like log directory
> LOGDIR=/var/log
> LOGNAME=messages
> PATH=/sbin:/bin:/usr/sbin:/usr/bin
>> offenders=`grep sshd $LOGDIR\$LOGNAME | grep rhost | awk
>> {'print $13'}
>> | sed -e s/rhost\=// | sort | uniq`
>>
>> for host in $offenders; do
>>
>>   offip=`host $host | awk {'print $4'}`
>>   if [ "$offip" != "" ]; then
>>     for email in `whois $offip | grep "e-mail" | awk {'print $2'}`; do
>>       if [ "$email" != "" ]; then
>>         mail -s "sshd brute-force attack" $email < /tmp/sshbfmsg
>>       else
>>         echo no e-mail available for $offip ($host)
>>       fi
>>     done
>>   else
>>     echo no dns for $host
>>   fi
>>
>> done
>>
>>
>>
>> --- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
>>> I must echo Scott's question and make a comment.
>>> How many of the bruteforce ssh IPs do you report to the ISPs?
>>>
>>> My comment is we as a community are FAILING!
>>> Every bruteforce password guessing sshd attempt I have tracked/seen
>>> went
>>> to a host that was compromised via bruteforce password guessing. I
>>> think
>>> this continues to grow because we don't report them soon enough. If
>>> you
>>> get a host attempting brute force sshd you should report it asap. It
>>> is
>>> not spoofed. If we report enough of them eventually we should run
>>> into
>>> the first hop system. From that system the actual hacker could be
>>> traced.
>>>
>>> We as a community should be able to quickly report and respond to
>>> these
>>> if we did we would be winning rather then loosing this battle.
>>>
>>> I know there are lots of ways to automatically turn these away with
>>> syslog to ipfilters and other similar "ips" like tools. Perhaps a
>>> good
>>> autoreporting tool could assist us in this effort.
>>>
>>>
>>> donald.smith at qwest.com giac
>>>
>>>> -----Original Message-----
>>>> From: intrusions-bounces at lists.sans.org
>>>> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott
>>> Mcintyre
>>>> Sent: Monday, May 30, 2005 2:11 PM
>>>> To: Intrusions List (GCIA Practicals)
>>>> Subject: Re: [Intrusions] SSH brute forcers
>>>>
>>>>
>>>> How many of the ips do you actualy report to the isps?
>>>>
>>>> BruteForcing in general should not be much of a problem,
>>>> install brute
>>>> force detectors, theres lots out there.  Even if someone
>> does brute
>>>
>>>> force you for a reason, you should not have anything to
>> worry about
>>>
>>>> providing you use strong passwords.
>>>>
>>>>> WOOOHOOO.  Its getting to the point that the SSH brute
>>>> force attmepts
>>>>> on the 2 servers I am working on atm are coming at 4 to
>> 8 times a
>>>
>>>> day,
>>>>> no reasoning behind the number of attempts yet either.
>>>>>
>>>>> Jim McCullough
>>>>>
>>>>> On 5/28/05, DHoelzer at cyber-defense.org
>>> <DHoelzer at cyber-defense.org>
>>>> wrote:
>>>>>> I've been automatically shunning SSH brute forcers
>> for several
>>>> months now
>>>>>> but I've recently decided to become a bit more aggressive.  I
>>> am
>>>> now
>>>>>> publishing a blacklist populated by known SSH
>>>> bruteforcing sources
>>>> on my
>>>>>> site that is updated every minute based on my own
>> detects from
>>>> several
>>>>>> sites.  If you have any addresses to contribute please send
>>> them
>>>> my way.
>>>>>> Feel free to grab a copy of the list if you want to populate
>>> your
>>>> ACLs
>>>>>> which is what I'm doing for my customers.
>>>>>>
>>>>>> Best regards
>>>>>> -----------------------------------------------------
>>>>>> David Hoelzer
>>>>>> Cyber-Defense.org
>>>>>> http://www.cyber-defense.org/CV.html
>>>>>> _______________________________________________
>>>>>> Intrusions mailing list
>>>>>> Intrusions at lists.sans.org
>>>>>> http://www.dshield.org/mailman/listinfo/intrusions
>>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> Jim McCullough
>>>>>
>>>>> _______________________________________________
>>>>> Intrusions mailing list
>>>>> Intrusions at lists.sans.org
>>>>> http://www.dshield.org/mailman/listinfo/intrusions
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Intrusions mailing list
>>>> Intrusions at lists.sans.org
>>>> http://www.dshield.org/mailman/listinfo/intrusions
>>>>
>>>
>>> _______________________________________________
>>> Intrusions mailing list
>>> Intrusions at lists.sans.org
>>> http://www.dshield.org/mailman/listinfo/intrusions
>>>
>>
>> --
>> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
>> _______________________________________________
>> Intrusions mailing list
>> Intrusions at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/intrusions
>>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list