New Feature: "Live" SSH Brute Force Logs and New Kippo Client

Published: 2014-07-23
Last Updated: 2014-07-23 12:33:07 UTC
by Johannes Ullrich (Version: 1)
19 comment(s)

We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system.

To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl .

The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters").

For data we are collecting so far, see https://isc.sans.edu/ssh.html .

If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client.

By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets.

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

19 comment(s)

Comments

How about adding a top ten ssh brute forcing attackers by IP listing? (Or is that tacky?)
sure. I think it makes sense to add this.
Cool. From the logs, we know what standard username were used. We just do not know what passwords were used.



Possible to create a similar tool for WordPress?
We had a few WordPress sites that are subject to brute force login attempts daily.
I've been using a bash script to generate reports based off hosts that are denied by denyhosts.

http://denyhosts.sourceforge.net/

https://github.com/jtdub/ssh_attack_report
This is cool. I am using my honeypots to capture these data and sometimes there are very interesting results. I am using my own database and export mechanisms, but I think I should be able to use your API and contribute to your project.

Apart from SSH, I have succesfully captured brute-force attacks against Telnet, POP3, and FTP using scripts for honeyd low-interaction honeypot. POP3 sometimes faced as many brute-force attacks as SSH. It is interesting to compare dictionaries used against different services.
Hi,
I am trying to use the script on my server and I am seeing following message when I submit the kippo log (./kippodshield.pl < kippo.log)

Submitting Log
Lines: 1 Bytes: 48

ERROR: Size Mismatch

ERROR: SHA1 Mismatch 32ba1ded0aedb64b48e87c779655a26c2ab7fa56

ERROR: MD5 Mismatch a149c7af6e75bf2f347b525ada2f3950
---

OS is Sci Linux 6.x
Sorry, it's taken care of. Didn't remove the square brackets for userid and key. Was able to submit fine after modification.

Submitting Log
Lines: 1 Bytes: 48
Size OK SHA1 OK MD5 OK

Thanks.
I'm getting the hash mismatch errors too. I'm using Ubuntu Server 14.04.
Removing the brackets fixed it for me too.
is still active this project?

i cannot see https://isc.sans.edu/ssh.html page once i logged on

Diary Archives