[Intrusions] SSH brute forcers

C.J. Steele coreyjsteele at yahoo.com
Wed Jun 1 23:47:01 GMT 2005 

I did make one small change to the script to include the offending IP
address in the subject of the e-mail whereupon in the sshbfmsg file I
direct the recipient of the e-mail to follow-up based on the ip address
of the 'attacker'.

Anywho, I'll probably make a few more additions to the script this
evening (incorporating Donald's suggestion(s)) and I'll re-post it to
the list.  

Ciao,
-C

--- Joel Esler <eslerj at gmail.com> wrote:

> Also..  whats ur sshbfmsg say?
> 
> J
> 
> 
> On Jun 1, 2005, at 3:26 PM, Smith, Donald wrote:
> 
> > CJ good work.
> > I would add a specific PATH statement to prevent tainting and maybe
> 
> > some
> > vars for the log location.
> >
> >
> > donald.smith at qwest.com giac
> >
> >> -----Original Message-----
> >> From: intrusions-bounces at lists.sans.org
> >> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of C.J.
> Steele
> >> Sent: Tuesday, May 31, 2005 8:24 PM
> >> To: Intrusions List (GCIA Practicals)
> >> Subject: RE: [Intrusions] SSH brute forcers
> >>
> >>
> >> Spot-on Donald!  Inspired by your admonishment, I've hacked
> together a
> >> quick shell script to automatically do this for me... see below. 
> If
> >> anyone has any questions, do feel free to e-mail me.
> >>
> >> Please bare in mind that this isn't going to be comprehensive, but
> it
> >> is a fair start.  If anyone would like to collaborate on a more
> >> comprehensive solution, again, do feel free to e-mail me.
> >>
> >> Cheers!
> >> -C
> >>
> >>
> >> #!/bin/sh
> >> # rptbdgys by C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> >> #
> >> # this quick script goes through /var/log/messages and pulls
> >> out hosts
> >> # that have been trying to brute-force attack my box and
> >> automatically
> >> # e-mails the persons responsible for their whois zones.
> >> #
> >> # your mileage may vary, depending on your log configuration and
> >> # execution environment...make sure you have standard tools
> >> like grep,
> >> # awk, sed, whois, and mail in the $PATH of whatever is
> >> executing this.
> >> #
> >> # NOTE: populate /tmp/sshbfmsg with whatever nasty-gram you want
> to
> >> # send to the responsible parties...
> >> #
> > # I would add a path statement to address trojaned path/binaries
> local
> > exploit issues
> > #perhaps a few variables for things like log directory
> > LOGDIR=/var/log
> > LOGNAME=messages
> > PATH=/sbin:/bin:/usr/sbin:/usr/bin
> >> offenders=`grep sshd $LOGDIR\$LOGNAME | grep rhost | awk
> >> {'print $13'}
> >> | sed -e s/rhost\=// | sort | uniq`
> >>
> >> for host in $offenders; do
> >>
> >>   offip=`host $host | awk {'print $4'}`
> >>   if [ "$offip" != "" ]; then
> >>     for email in `whois $offip | grep "e-mail" | awk {'print
> $2'}`; do
> >>       if [ "$email" != "" ]; then
> >>         mail -s "sshd brute-force attack" $email < /tmp/sshbfmsg
> >>       else
> >>         echo no e-mail available for $offip ($host)
> >>       fi
> >>     done
> >>   else
> >>     echo no dns for $host
> >>   fi
> >>
> >> done
> >>
> >>
> >>
> >> --- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> >>> I must echo Scott's question and make a comment.
> >>> How many of the bruteforce ssh IPs do you report to the ISPs?
> >>>
> >>> My comment is we as a community are FAILING!
> >>> Every bruteforce password guessing sshd attempt I have
> tracked/seen
> >>> went
> >>> to a host that was compromised via bruteforce password guessing.
> I
> >>> think
> >>> this continues to grow because we don't report them soon enough.
> If
> >>> you
> >>> get a host attempting brute force sshd you should report it asap.
> It
> >>> is
> >>> not spoofed. If we report enough of them eventually we should run
> >>> into
> >>> the first hop system. From that system the actual hacker could be
> >>> traced.
> >>>
> >>> We as a community should be able to quickly report and respond to
> >>> these
> >>> if we did we would be winning rather then loosing this battle.
> >>>
> >>> I know there are lots of ways to automatically turn these away
> with
> >>> syslog to ipfilters and other similar "ips" like tools. Perhaps a
> >>> good
> >>> autoreporting tool could assist us in this effort.
> >>>
> >>>
> >>> donald.smith at qwest.com giac
> >>>
> >>>> -----Original Message-----
> >>>> From: intrusions-bounces at lists.sans.org
> >>>> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott
> >>> Mcintyre
> >>>> Sent: Monday, May 30, 2005 2:11 PM
> >>>> To: Intrusions List (GCIA Practicals)
> >>>> Subject: Re: [Intrusions] SSH brute forcers
> >>>>
> >>>>
> >>>> How many of the ips do you actualy report to the isps?
> >>>>
> >>>> BruteForcing in general should not be much of a problem,
> >>>> install brute
> >>>> force detectors, theres lots out there.  Even if someone
> >> does brute
> >>>
> >>>> force you for a reason, you should not have anything to
> >> worry about
> >>>
> >>>> providing you use strong passwords.
> >>>>
> >>>>> WOOOHOOO.  Its getting to the point that the SSH brute
> >>>> force attmepts
> >>>>> on the 2 servers I am working on atm are coming at 4 to
> >> 8 times a
> >>>
> >>>> day,
> >>>>> no reasoning behind the number of attempts yet either.
> >>>>>
> >>>>> Jim McCullough
> >>>>>
> >>>>> On 5/28/05, DHoelzer at cyber-defense.org
> >>> <DHoelzer at cyber-defense.org>
> >>>> wrote:
> >>>>>> I've been automatically shunning SSH brute forcers
> >> for several
> >>>> months now
> >>>>>> but I've recently decided to become a bit more aggressive.  I
> >>> am
> >>>> now
> >>>>>> publishing a blacklist populated by known SSH
> >>>> bruteforcing sources
> >>>> on my
> >>>>>> site that is updated every minute based on my own
> >> detects from
> >>>> several
> >>>>>> sites.  If you have any addresses to contribute please send
> >>> them
> >>>> my way.
> >>>>>> Feel free to grab a copy of the list if you want to populate
> >>> your
> >>>> ACLs
> >>>>>> which is what I'm doing for my customers.
> >>>>>>
> >>>>>> Best regards
> >>>>>> -----------------------------------------------------
> >>>>>> David Hoelzer
> >>>>>> Cyber-Defense.org
> >>>>>> http://www.cyber-defense.org/CV.html
> >>>>>> _______________________________________________
> >>>>>> Intrusions mailing list
> >>>>>> Intrusions at lists.sans.org
> >>>>>> http://www.dshield.org/mailman/listinfo/intrusions
> >>>>>>
> >>>>>
> >>>>>
> >>>>> -- 
> >>>>> Jim McCullough
> >>>>>
> >>>>> _______________________________________________
> >>>>> Intrusions mailing list
> >>>>> Intrusions at lists.sans.org
> >>>>> http://www.dshield.org/mailman/listinfo/intrusions
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Intrusions mailing list
> >>>> Intrusions at lists.sans.org
> >>>> http://www.dshield.org/mailman/listinfo/intrusions
> >>>>
> >>>
> >>> _______________________________________________
> >>> Intrusions mailing list
> >>> Intrusions at lists.sans.org
> >>> http://www.dshield.org/mailman/listinfo/intrusions
> >>>
> >>
> >> --
> >> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> >> _______________________________________________
> >> Intrusions mailing list
> >> Intrusions at lists.sans.org
> >> http://www.dshield.org/mailman/listinfo/intrusions
> >>
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 


--
C.J. Steele, CISSP <coreyjsteele at yahoo.com>

More information about the Intrusions mailing list