NYCPHP Meetup

NYPHP.org

[nycphp-talk] [OT] SSH security question

max max at neuropunks.org
Mon May 2 11:00:16 EDT 2005 

hello
I get a ton of those every day. Since i use freebsd, they get reported to me via email as part of daily security check
The format of that email looks like that:
finn login failures:
Apr 30 10:55:42 finn sshd[31415]: Failed password for illegal user nobody from 67.18.130.50 port 49027 ssh2
Apr 30 10:55:43 finn sshd[32022]: Failed password for illegal user patrick from 67.18.130.50 port 49063 ssh2
Apr 30 10:55:48 finn sshd[32404]: Failed password for illegal user patrick from 67.18.130.50 port 49117 ssh2
Apr 30 10:55:48 finn sshd[33059]: Failed password for illegal user root from 67.18.130.50 port 49150 ssh2
Apr 30 10:55:49 finn sshd[33106]: Failed password for illegal user root from 67.18.130.50 port 49186 ssh2
Apr 30 10:55:51 finn sshd[33753]: Failed password for illegal user root from 67.18.130.50 port 49217 ssh2

and so on, for many many pages.
I got really fed up with this, and since i do believe in a bit of vigilantism, i made a little perl script which gets called from procmail in root's dir on every occurance of those emails. The script sends one email per attempt to security/technical contact for the ip address/block.
Now, this will generate quite a bit of traffic on your end, but i found that nothing gets your attention more about a broken machine on your network than 5000 email messages. Call me a bastard : )
You can call it from procmail like so:
---
[root at finn dev]# cat ~system/.procmail/rc.ssh
:0c
* ^Subject:.*security*
| /root/system/bin/parse_ssh.pl
[root at finn dev]# cat ~system/.procmailrc
PROCMAILDIR=$HOME/.procmail
INCLUDERC=$PROCMAILDIR/rc.ssh
---
The script is below, just remember what happens when you use it...
(yea its pretty bad perl, you'll even find a goto in it )
---
#!/usr/bin/perl

foreach $line (<STDIN>){
        chomp;
        if ($line =~ /192\.168|216\.254\.70\.208|127\.0/) {
                next;
        }
        if ($line =~ /Failed password for illegal user/) {
                @line = split (/ /, $line);
                $ip = @line[12];
                if ($ip == "from" ) {
                        $ip = @line[13];
                }

                $email = do_lookup ($ip);
                do_notify($email, $ip, $line);
        }
}

sub do_lookup {
        $ip = pack("A*", @_);
        print "ip is $ip\n";

        `whois -a @_ > /tmp/whois. at _.$$`;
        $file = "/tmp/whois. at _.$$";

        open(FILE, $file) or die "Error: $!\n";

        foreach $line (<FILE>) {
                chomp;
                if ($line =~ /ReferralServer/) {
                        @referral_server = split (/\/\//, $line);
                        print "Referral Server found: @referral_server[1] Forking whois..\n";
                        print "IP: $ip\n";
                        open(WHOIS, "whois $ip -h @referral_server[1] |") or die "Error: $!\n";
                        foreach $line (<WHOIS>) {
                                chomp;
                                if ($line =~ /e-mail:/) {
                                        @org_tech_email = split (/:/, $line);
                                        $email = @org_tech_email[1];
                                        print "OrgTechEmail: @org_tech_email[1]\n";
                                        #do_notify(@org_tech_email[1], $ip);
                                        close(WHOIS);
                                        return $email;
                                        goto DONE;
                                }
                        }
                }
                if ($line =~ /OrgTechEmail|TechEmail/) {
                                @org_tech_email = split (/ /, $line);
                                $email = @org_tech_email[2];
                                print "OrgTechEmail: @org_tech_email[2]\n";
                                return $email;
                                #do_notify(@org_tech_email[2], $ip);
                }
        }
DONE:   close(FILE);
        unlink(FILE);
        `rm -f $file`;
}

sub do_notify {
        $email = @_[0];
        $ip = @_[1];
        $msg = @_[2];

        print "$msg";
        `echo "$msg" | mail -c root -s "SSH Breakin Attempt detected from your $ip, check your system!" $email\n`;


}




On Sat, Apr 30, 2005 at 01:26:27PM -0400, David Mintz wrote:
> 
> Is it normal to get attacked like this just about every day?
> 
> 
>  --------------------- SSHD Begin ------------------------
> 
> 
> Failed logins from these:
>    bin/password from 210.68.71.220: 17 Time(s)
>    boss/password from 210.68.71.220: 17 Time(s)
>    chris/password from 210.68.71.220: 17 Time(s)
>    cristina/password from 210.68.71.220: 17 Time(s)
>    daemon/password from 210.68.71.220: 17 Time(s)
>    ftp/password from 210.68.71.220: 17 Time(s)
>    ftpuser/password from 210.68.71.220: 17 Time(s)
>    mailtest/password from 210.68.71.220: 17 Time(s)
>    michelle/password from 210.68.71.220: 17 Time(s)
>    mysql/password from 210.68.71.220: 17 Time(s)
>    news/password from 210.68.71.220: 17 Time(s)
>    oracle/password from 210.68.71.220: 17 Time(s)
>    postfix/password from 210.68.71.220: 17 Time(s)
>    postgres/password from 210.68.71.220: 17 Time(s)
>    richard/password from 210.68.71.220: 17 Time(s)
>    service/password from 210.68.71.220: 17 Time(s)
>    testuser/password from 210.68.71.220: 17 Time(s)
> 
> 
> ---
> David Mintz
> http://davidmintz.org/
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>

More information about the talk mailing list