[Intrusions] SSH brute forcers
C.J. Steele, CISSP
coreyjsteele at yahoo.com
Fri Jun 3 06:28:18 GMT 2005
Okay, so looking over the previous bit of hideousness that I had put
together in a slap-dash fashion, I've taken a considerably more
comprehensive approach, in perl, that I think will actually be useful
(as opposed to the previous script which only worked for non APNIC and
ARIN registrars.) Anyways, find the attached program quite a bit
better... and available on-line at http://sodaphish.com/files/tattle
Cheers!
Corey
#####begin tattle#####
#!/usr/bin/perl
# tattle by C.J. Steele, CISSP <coreyjsteele at yahoo.com>
# (C)opyright 2005, C.J. Steele, all rights reserved.
#
# NOTICE: you're on your own with whatever 'messes' reporting this sort
of
# activity may create...you've been warned.
#
# This script processes log files and attempts to automatically notify
domain
# authorities of machines in their domain that are actively performing
SSH
# brute-force attacks. Mangle the variables above the warning to your
liking,
# but it would be adviseable not to venture past the warning unless you
know a
# bit of perl and are comfortable doing so.
#
#
use strict;
use MIME::Lite;
use File::MkTemp;
my $logfile = "/var/log/messages"; #the place where ssh logs to
my $tmpdir = "/tmp"; #for use when we write out our logs
my @exceptions = ( "192.168.1.", "your.net" ); #domains not to notify
of ssh attacks, i.e. your domains
my $smtp_host = "localhost"; #your mail server
my $smtp_sendas = "your\@email.com"; #a VALID e-mail address to send
the e-mails out as
my $smtp_message = "An attempt to brute-force account passwords over
SSH has been detected by a machine in your domain. Attached are logs
indicating the times and dates of the activity. Please take the
necessary action(s) to stop this activity. If you have any questions,
please reply to this email or contact me at $smtp_sendas."; #the
nasty-gram
########################################################################
# DO NOT MUCK AROUND BELOW THIS POINT UNLESS YOU KNOW WHAT YOU'RE DOING
########################################################################
my @offenders = getoffenders( $logfile );
foreach my $offender ( @offenders )
{
my $tld = gettld( $offender );
my @addies = getemails( $tld );
if( scalar( @addies ) )
{
my $logpath = writelogs( getlogs( $offender ) );
foreach my $addie ( @addies )
{
#create the email...
my $email = MIME::Lite->new(
From => "$smtp_sendas",
To => "$addie",
Cc => "$smtp_sendas",
Subject => "SSH Brute-force Attack",
Type => "TEXT",
Data => "$smtp_message"
);
#attach our log files/evidence...
$email->attach(
Type => 'text/plain',
Path => $logpath,
Filename => "$offender.txt"
);
$email->send( 'smtp', "$smtp_host" );
print "I: e-mail sent to $addie ($offender)\n";
} #end foreach
} else {
print "E: no e-mail addresses found for $tld\n";
} #endif
} #end foreach
exit( 0 );
sub getlogs
# this routine parses the log file and finds entries that match the
$mark,
# which is passed in as a parameter, and creates an array, each element
of
# which is a matching line of the log, the single array is returned.
{
my $mark = shift;
my @logentries = ();
open( LOG, $logfile ) or die( "$!" );
while( <LOG> )
{
chomp();
if( $_ =~ /$mark/ )
{
push( @logentries, $_ );
} #endif
} #end while
close( LOG );
return @logentries;
} #end getlogs()
sub writelogs
# this writes the array of log entries passed via args to a randomly
created
# temporary file, the name of which is returned as a single scalar
value, with
# fully-qualified path.
{
my @logs = @_;
my $tmpfile = mktemp( "$tmpdir/rptbdgys.XXXXXX" );
open( OUT, ">$tmpfile" ) or die( "$!" );
foreach( @logs )
{
print OUT $_, "\n";
}
close( OUT );
return $tmpfile;
} #end writelogs
sub getoffenders
# this returns an array of offending hostnames from the logfile, except
those
# who are listed in the @exceptions array.
{
my $log = shift;
my @offs;
open( LOG, $log ) or die( "$!" );
while( <LOG> )
{
chomp( $_ );
if( $_ =~ /sshd/ and $_ =~ /rhost/ )
{
my @e = split( /\s/, $_ );
my $off = $e[12];
$off =~ s/rhost\=//;
$off =~ s/ruser\=//; #why do I need this?
if( $off ne "" )
{
push( @offs, $off ) if( ! isin( $off, @offs ) and ! isin( $off,
@excpetions ) );
} #endif
} #endif
} #endwhile
close( LOG );
return( @offs );
} #end getoffenders()
sub gettld
# this returns a single scalar value containing the top-level domain or
# the ip address fed in. This won't work for a site who's address is
# dom.com.co
{
my $in = shift;
if( $in =~ /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/ )
{
# its an IP address... try reverse lookup, if that fails, return IP
return $in;
} else {
# its a hostname
my @bits = split( /\./, $in );
my $bitslen = scalar( @bits );
if( $bitslen > 2 )
{
if( length( $bits[$bitslen-1] ) == 2 )
{
# country-level tld
if( length( $bits[$bitslen-2] ) > 3 ){
return "$bits[$bitslen-2].$bits[$bitslen-1]";
} else {
return "$bits[$bitslen-3].$bits[$bitslen-2].$bits[$bitslen-1]";
} #endif
} else {
# tld
return "$bits[$bitslen-2].$bits[$bitslen-1]";
} #endif
} else {
return $in;
} #endif
} #endif
} #end gettld()
sub getemails
# gets a list of unique email addresses that were returned for as part
# of the domain's `whois` records. The results are returned as a
# singular array.
{
my $tld = shift;
my $whois = `/usr/bin/whois $tld`;
my @emailaddies;
foreach( split( /\n/, $whois ) )
{
chomp();
if( $_ =~ /\@/ )
{
# the line had an e-mail address in it...
my @bits = split( /\s/, $_ );
foreach my $bit ( @bits )
{
if( $bit =~ /\@/ and $bit !~ /\@apnic\.net$/ )
{
push( @emailaddies, $bit ) if( ! isin( $bit, @emailaddies ) );
} #endif
} #end foreach
} #endif
}#end foreach
return @emailaddies;
} #end getemails
sub isin
# this boolean function simply checks to see if an element ($e) is in
the
# supplied array (@a) -- it returns 1 if the element is in the array
and 0
# otherwise.
{
my( $e, @a ) = @_;
foreach( @a )
{
return 1 if( $e eq $_ );
}
return 0;
} #end isin()
######end tattle######
--- "C.J. Steele" <coreyjsteele at yahoo.com> wrote:
> I did make one small change to the script to include the offending IP
> address in the subject of the e-mail whereupon in the sshbfmsg file I
> direct the recipient of the e-mail to follow-up based on the ip
> address
> of the 'attacker'.
>
> Anywho, I'll probably make a few more additions to the script this
> evening (incorporating Donald's suggestion(s)) and I'll re-post it to
> the list.
>
> Ciao,
> -C
>
> --- Joel Esler <eslerj at gmail.com> wrote:
>
> > Also.. whats ur sshbfmsg say?
> >
> > J
> >
> >
> > On Jun 1, 2005, at 3:26 PM, Smith, Donald wrote:
> >
> > > CJ good work.
> > > I would add a specific PATH statement to prevent tainting and
> maybe
> >
> > > some
> > > vars for the log location.
> > >
> > >
> > > donald.smith at qwest.com giac
> > >
> > >> -----Original Message-----
> > >> From: intrusions-bounces at lists.sans.org
> > >> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of C.J.
> > Steele
> > >> Sent: Tuesday, May 31, 2005 8:24 PM
> > >> To: Intrusions List (GCIA Practicals)
> > >> Subject: RE: [Intrusions] SSH brute forcers
> > >>
> > >>
> > >> Spot-on Donald! Inspired by your admonishment, I've hacked
> > together a
> > >> quick shell script to automatically do this for me... see below.
>
> > If
> > >> anyone has any questions, do feel free to e-mail me.
> > >>
> > >> Please bare in mind that this isn't going to be comprehensive,
> but
> > it
> > >> is a fair start. If anyone would like to collaborate on a more
> > >> comprehensive solution, again, do feel free to e-mail me.
> > >>
> > >> Cheers!
> > >> -C
> > >>
> > >>
> > >> #!/bin/sh
> > >> # rptbdgys by C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> > >> #
> > >> # this quick script goes through /var/log/messages and pulls
> > >> out hosts
> > >> # that have been trying to brute-force attack my box and
> > >> automatically
> > >> # e-mails the persons responsible for their whois zones.
> > >> #
> > >> # your mileage may vary, depending on your log configuration and
> > >> # execution environment...make sure you have standard tools
> > >> like grep,
> > >> # awk, sed, whois, and mail in the $PATH of whatever is
> > >> executing this.
> > >> #
> > >> # NOTE: populate /tmp/sshbfmsg with whatever nasty-gram you want
> > to
> > >> # send to the responsible parties...
> > >> #
> > > # I would add a path statement to address trojaned path/binaries
> > local
> > > exploit issues
> > > #perhaps a few variables for things like log directory
> > > LOGDIR=/var/log
> > > LOGNAME=messages
> > > PATH=/sbin:/bin:/usr/sbin:/usr/bin
> > >> offenders=`grep sshd $LOGDIR\$LOGNAME | grep rhost | awk
> > >> {'print $13'}
> > >> | sed -e s/rhost\=// | sort | uniq`
> > >>
> > >> for host in $offenders; do
> > >>
> > >> offip=`host $host | awk {'print $4'}`
> > >> if [ "$offip" != "" ]; then
> > >> for email in `whois $offip | grep "e-mail" | awk {'print
> > $2'}`; do
> > >> if [ "$email" != "" ]; then
> > >> mail -s "sshd brute-force attack" $email < /tmp/sshbfmsg
> > >> else
> > >> echo no e-mail available for $offip ($host)
> > >> fi
> > >> done
> > >> else
> > >> echo no dns for $host
> > >> fi
> > >>
> > >> done
> > >>
> > >>
> > >>
> > >> --- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> > >>> I must echo Scott's question and make a comment.
> > >>> How many of the bruteforce ssh IPs do you report to the ISPs?
> > >>>
> > >>> My comment is we as a community are FAILING!
> > >>> Every bruteforce password guessing sshd attempt I have
> > tracked/seen
> > >>> went
> > >>> to a host that was compromised via bruteforce password
> guessing.
> > I
> > >>> think
> > >>> this continues to grow because we don't report them soon
> enough.
> > If
> > >>> you
> > >>> get a host attempting brute force sshd you should report it
> asap.
> > It
> > >>> is
> > >>> not spoofed. If we report enough of them eventually we should
> run
> > >>> into
> > >>> the first hop system. From that system the actual hacker could
> be
> > >>> traced.
> > >>>
> > >>> We as a community should be able to quickly report and respond
> to
> > >>> these
> > >>> if we did we would be winning rather then loosing this battle.
> > >>>
> > >>> I know there are lots of ways to automatically turn these away
> > with
> > >>> syslog to ipfilters and other similar "ips" like tools. Perhaps
> a
> > >>> good
> > >>> autoreporting tool could assist us in this effort.
> > >>>
> > >>>
> > >>> donald.smith at qwest.com giac
> > >>>
> > >>>> -----Original Message-----
> > >>>> From: intrusions-bounces at lists.sans.org
> > >>>> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott
> > >>> Mcintyre
> > >>>> Sent: Monday, May 30, 2005 2:11 PM
> > >>>> To: Intrusions List (GCIA Practicals)
> > >>>> Subject: Re: [Intrusions] SSH brute forcers
> > >>>>
> > >>>>
> > >>>> How many of the ips do you actualy report to the isps?
> > >>>>
> > >>>> BruteForcing in general should not be much of a problem,
> > >>>> install brute
> > >>>> force detectors, theres lots out there. Even if someone
> > >> does brute
> > >>>
> > >>>> force you for a reason, you should not have anything to
> > >> worry about
> > >>>
> > >>>> providing you use strong passwords.
> > >>>>
> > >>>>> WOOOHOOO. Its getting to the point that the SSH brute
> > >>>> force attmepts
> > >>>>> on the 2 servers I am working on atm are coming at 4 to
> > >> 8 times a
> > >>>
> > >>>> day,
> > >>>>> no reasoning behind the number of attempts yet either.
> > >>>>>
> > >>>>> Jim McCullough
> > >>>>>
> > >>>>> On 5/28/05, DHoelzer at cyber-defense.org
> > >>> <DHoelzer at cyber-defense.org>
> > >>>> wrote:
> > >>>>>> I've been automatically shunning SSH brute forcers
> > >> for several
> > >>>> months now
> > >>>>>> but I've recently decided to become a bit more aggressive.
> I
> > >>> am
> > >>>> now
> > >>>>>> publishing a blacklist populated by known SSH
> > >>>> bruteforcing sources
> > >>>> on my
> > >>>>>> site that is updated every minute based on my own
> > >> detects from
> > >>>> several
> > >>>>>> sites. If you have any addresses to contribute please send
> > >>> them
> > >>>> my way.
> > >>>>>> Feel free to grab a copy of the list if you want to populate
> > >>> your
> > >>>> ACLs
> > >>>>>> which is what I'm doing for my customers.
> > >>>>>>
> > >>>>>> Best regards
> > >>>>>> -----------------------------------------------------
> > >>>>>> David Hoelzer
> > >>>>>> Cyber-Defense.org
> > >>>>>> http://www.cyber-defense.org/CV.html
> > >>>>>> _______________________________________________
> > >>>>>> Intrusions mailing list
> > >>>>>> Intrusions at lists.sans.org
> > >>>>>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Jim McCullough
> > >>>>>
> > >>>>> _______________________________________________
> > >>>>> Intrusions mailing list
> > >>>>> Intrusions at lists.sans.org
> > >>>>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>> _______________________________________________
> > >>>> Intrusions mailing list
> > >>>> Intrusions at lists.sans.org
> > >>>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>>
> > >>>
> > >>> _______________________________________________
> > >>> Intrusions mailing list
> > >>> Intrusions at lists.sans.org
> > >>> http://www.dshield.org/mailman/listinfo/intrusions
> > >>>
> > >>
> > >> --
> > >> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> > >> _______________________________________________
> > >> Intrusions mailing list
> > >> Intrusions at lists.sans.org
> > >> http://www.dshield.org/mailman/listinfo/intrusions
> > >>
> > >
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > >
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
>
>
> --
> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
--
C.J. Steele, CISSP <coreyjsteele at yahoo.com>
More information about the Intrusions
mailing list