[Intrusions] SSH brute forcers

Smith, Donald Donald.Smith at qwest.com
Thu Jun 2 22:22:22 GMT 2005 

Thanks!

donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of C.J. Steele
> Sent: Wednesday, June 01, 2005 5:47 PM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] SSH brute forcers
> 
> 
> I did make one small change to the script to include the offending IP
> address in the subject of the e-mail whereupon in the sshbfmsg file I
> direct the recipient of the e-mail to follow-up based on the 
> ip address
> of the 'attacker'.
> 
> Anywho, I'll probably make a few more additions to the script this
> evening (incorporating Donald's suggestion(s)) and I'll re-post it to
> the list.  
> 
> Ciao,
> -C
> 
> --- Joel Esler <eslerj at gmail.com> wrote:
> 
> > Also..  whats ur sshbfmsg say?
> > 
> > J
> > 
> > 
> > On Jun 1, 2005, at 3:26 PM, Smith, Donald wrote:
> > 
> > > CJ good work.
> > > I would add a specific PATH statement to prevent tainting 
> and maybe
> > 
> > > some
> > > vars for the log location.
> > >
> > >
> > > donald.smith at qwest.com giac
> > >
> > >> -----Original Message-----
> > >> From: intrusions-bounces at lists.sans.org
> > >> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of C.J.
> > Steele
> > >> Sent: Tuesday, May 31, 2005 8:24 PM
> > >> To: Intrusions List (GCIA Practicals)
> > >> Subject: RE: [Intrusions] SSH brute forcers
> > >>
> > >>
> > >> Spot-on Donald!  Inspired by your admonishment, I've hacked
> > together a
> > >> quick shell script to automatically do this for me... see below. 
> > If
> > >> anyone has any questions, do feel free to e-mail me.
> > >>
> > >> Please bare in mind that this isn't going to be 
> comprehensive, but
> > it
> > >> is a fair start.  If anyone would like to collaborate on a more
> > >> comprehensive solution, again, do feel free to e-mail me.
> > >>
> > >> Cheers!
> > >> -C
> > >>
> > >>
> > >> #!/bin/sh
> > >> # rptbdgys by C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> > >> #
> > >> # this quick script goes through /var/log/messages and pulls
> > >> out hosts
> > >> # that have been trying to brute-force attack my box and
> > >> automatically
> > >> # e-mails the persons responsible for their whois zones.
> > >> #
> > >> # your mileage may vary, depending on your log configuration and
> > >> # execution environment...make sure you have standard tools
> > >> like grep,
> > >> # awk, sed, whois, and mail in the $PATH of whatever is
> > >> executing this.
> > >> #
> > >> # NOTE: populate /tmp/sshbfmsg with whatever nasty-gram you want
> > to
> > >> # send to the responsible parties...
> > >> #
> > > # I would add a path statement to address trojaned path/binaries
> > local
> > > exploit issues
> > > #perhaps a few variables for things like log directory
> > > LOGDIR=/var/log
> > > LOGNAME=messages
> > > PATH=/sbin:/bin:/usr/sbin:/usr/bin
> > >> offenders=`grep sshd $LOGDIR\$LOGNAME | grep rhost | awk
> > >> {'print $13'}
> > >> | sed -e s/rhost\=// | sort | uniq`
> > >>
> > >> for host in $offenders; do
> > >>
> > >>   offip=`host $host | awk {'print $4'}`
> > >>   if [ "$offip" != "" ]; then
> > >>     for email in `whois $offip | grep "e-mail" | awk {'print
> > $2'}`; do
> > >>       if [ "$email" != "" ]; then
> > >>         mail -s "sshd brute-force attack" $email < /tmp/sshbfmsg
> > >>       else
> > >>         echo no e-mail available for $offip ($host)
> > >>       fi
> > >>     done
> > >>   else
> > >>     echo no dns for $host
> > >>   fi
> > >>
> > >> done
> > >>
> > >>
> > >>
> > >> --- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> > >>> I must echo Scott's question and make a comment.
> > >>> How many of the bruteforce ssh IPs do you report to the ISPs?
> > >>>
> > >>> My comment is we as a community are FAILING!
> > >>> Every bruteforce password guessing sshd attempt I have
> > tracked/seen
> > >>> went
> > >>> to a host that was compromised via bruteforce password guessing.
> > I
> > >>> think
> > >>> this continues to grow because we don't report them soon enough.
> > If
> > >>> you
> > >>> get a host attempting brute force sshd you should 
> report it asap.
> > It
> > >>> is
> > >>> not spoofed. If we report enough of them eventually we 
> should run
> > >>> into
> > >>> the first hop system. From that system the actual 
> hacker could be
> > >>> traced.
> > >>>
> > >>> We as a community should be able to quickly report and 
> respond to
> > >>> these
> > >>> if we did we would be winning rather then loosing this battle.
> > >>>
> > >>> I know there are lots of ways to automatically turn these away
> > with
> > >>> syslog to ipfilters and other similar "ips" like tools. 
> Perhaps a
> > >>> good
> > >>> autoreporting tool could assist us in this effort.
> > >>>
> > >>>
> > >>> donald.smith at qwest.com giac
> > >>>
> > >>>> -----Original Message-----
> > >>>> From: intrusions-bounces at lists.sans.org
> > >>>> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott
> > >>> Mcintyre
> > >>>> Sent: Monday, May 30, 2005 2:11 PM
> > >>>> To: Intrusions List (GCIA Practicals)
> > >>>> Subject: Re: [Intrusions] SSH brute forcers
> > >>>>
> > >>>>
> > >>>> How many of the ips do you actualy report to the isps?
> > >>>>
> > >>>> BruteForcing in general should not be much of a problem,
> > >>>> install brute
> > >>>> force detectors, theres lots out there.  Even if someone
> > >> does brute
> > >>>
> > >>>> force you for a reason, you should not have anything to
> > >> worry about
> > >>>
> > >>>> providing you use strong passwords.
> > >>>>
> > >>>>> WOOOHOOO.  Its getting to the point that the SSH brute
> > >>>> force attmepts
> > >>>>> on the 2 servers I am working on atm are coming at 4 to
> > >> 8 times a
> > >>>
> > >>>> day,
> > >>>>> no reasoning behind the number of attempts yet either.
> > >>>>>
> > >>>>> Jim McCullough
> > >>>>>
> > >>>>> On 5/28/05, DHoelzer at cyber-defense.org
> > >>> <DHoelzer at cyber-defense.org>
> > >>>> wrote:
> > >>>>>> I've been automatically shunning SSH brute forcers
> > >> for several
> > >>>> months now
> > >>>>>> but I've recently decided to become a bit more aggressive.  I
> > >>> am
> > >>>> now
> > >>>>>> publishing a blacklist populated by known SSH
> > >>>> bruteforcing sources
> > >>>> on my
> > >>>>>> site that is updated every minute based on my own
> > >> detects from
> > >>>> several
> > >>>>>> sites.  If you have any addresses to contribute please send
> > >>> them
> > >>>> my way.
> > >>>>>> Feel free to grab a copy of the list if you want to populate
> > >>> your
> > >>>> ACLs
> > >>>>>> which is what I'm doing for my customers.
> > >>>>>>
> > >>>>>> Best regards
> > >>>>>> -----------------------------------------------------
> > >>>>>> David Hoelzer
> > >>>>>> Cyber-Defense.org
> > >>>>>> http://www.cyber-defense.org/CV.html
> > >>>>>> _______________________________________________
> > >>>>>> Intrusions mailing list
> > >>>>>> Intrusions at lists.sans.org
> > >>>>>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>> -- 
> > >>>>> Jim McCullough
> > >>>>>
> > >>>>> _______________________________________________
> > >>>>> Intrusions mailing list
> > >>>>> Intrusions at lists.sans.org
> > >>>>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>> _______________________________________________
> > >>>> Intrusions mailing list
> > >>>> Intrusions at lists.sans.org
> > >>>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>>
> > >>>
> > >>> _______________________________________________
> > >>> Intrusions mailing list
> > >>> Intrusions at lists.sans.org
> > >>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>
> > >>
> > >> --
> > >> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> > >> _______________________________________________
> > >> Intrusions mailing list
> > >> Intrusions at lists.sans.org
> > >> http://www.dshield.org/mailman/listinfo/intrusions
> > >>
> > >
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > >
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> 
> --
> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list