Threat Level: green Handler on Duty: Tom Webb

SANS ISC: New Feature: "Live" SSH Brute Force Logs and New Kippo Client - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Feature: "Live" SSH Brute Force Logs and New Kippo Client

We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system.

To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl .

The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters").

For data we are collecting so far, see https://isc.sans.edu/ssh.html .

If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client.

By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets.

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS San Antonio 2019

Johannes

3531 Posts
ISC Handler
How about adding a top ten ssh brute forcing attackers by IP listing? (Or is that tacky?)
jbmoore

11 Posts
sure. I think it makes sense to add this.
Johannes

3531 Posts
ISC Handler
Cool. From the logs, we know what standard username were used. We just do not know what passwords were used.



Possible to create a similar tool for WordPress?
We had a few WordPress sites that are subject to brute force login attempts daily.
Mike7

42 Posts
I've been using a bash script to generate reports based off hosts that are denied by denyhosts.

http://denyhosts.sourceforge.net/

https://github.com/jtdub/ssh_attack_report
Mike7
1 Posts
This is cool. I am using my honeypots to capture these data and sometimes there are very interesting results. I am using my own database and export mechanisms, but I think I should be able to use your API and contribute to your project.

Apart from SSH, I have succesfully captured brute-force attacks against Telnet, POP3, and FTP using scripts for honeyd low-interaction honeypot. POP3 sometimes faced as many brute-force attacks as SSH. It is interesting to compare dictionaries used against different services.
husakm

1 Posts
Hi,
I am trying to use the script on my server and I am seeing following message when I submit the kippo log (./kippodshield.pl < kippo.log)

Submitting Log
Lines: 1 Bytes: 48

ERROR: Size Mismatch

ERROR: SHA1 Mismatch 32ba1ded0aedb64b48e87c779655a26c2ab7fa56

ERROR: MD5 Mismatch a149c7af6e75bf2f347b525ada2f3950
---

OS is Sci Linux 6.x
Anonymous
Sorry, it's taken care of. Didn't remove the square brackets for userid and key. Was able to submit fine after modification.

Submitting Log
Lines: 1 Bytes: 48
Size OK SHA1 OK MD5 OK

Thanks.
Anonymous
I'm getting the hash mismatch errors too. I'm using Ubuntu Server 14.04.
KPryor

9 Posts
Removing the brackets fixed it for me too.
KPryor

9 Posts
is still active this project?

i cannot see https://isc.sans.edu/ssh.html page once i logged on
AndreaConsadori

2 Posts
Quoting AndreaConsadori:is still active this project?

i cannot see https://isc.sans.edu/ssh.html page once i logged on


Yes, indeed it is still active. If you reach an error page, it simply means that our database is too busy at that moment. However, thank you for bringing this to our attention, I am going to work on increasing the availability of this page.
Alex Stanford

136 Posts
Quoting AndreaConsadori:is still active this project?

i cannot see https://isc.sans.edu/ssh.html page once i logged on


Yes, indeed it is still active. If you reach an error page, it simply means that our database is too busy at that moment. However, thank you for bringing this to our attention, I am going to work on increasing the availability of this page.
Alex Stanford

136 Posts
i try but 50% of times it gave me timeout

Submitting Log
Lines: 1220 Bytes: 65476
500 read timeout at ./kippodshiled.pl line 130.

and i cannot see log under my report
AndreaConsadori

2 Posts
I had to modify the perl script, just a little bit. "my $SSLCAPath='/etc/ssl/certs';" wasn't working for me. I run Fedora, and modified it to point to /etc/pki/tls/certs (as that is where Fedora puts its ca-bundle.crt). Still wouldn't work for me.

Had to modify the code, just a little bit, created a new variable, "my $SSLFilePath", and pointed it at the actual ca-bundle.crt file (/etc/pki/tls/certs/ca-bundle.crt, if you use Fedora). Then lower in the code, changed the line that used the $SSLCAPath to: $ua->ssl_opts(SSL_ca_file=>$SSLCAFile);
MikeDawg

4 Posts
Is this still supported? I have just added this script to my cowrie honeypot and executed it. The script didn't tell me if it was successful or not so i'm waiting to see if the logs pop up in my reports.
Ender

4 Posts
I'm trying to get this running on Debian 8 and I'm getting no feedback from the script at all.... it just runs and returns to the shell. If I were to try to run the script without piping the log file to it it just hangs. I suspect that I'm missing some perl modules or some other dependency but I can't locate any list of dependencies. I also note that in the script it references base64 so perhaps running on a 32 bit host is the problem?
bblboy54

1 Posts
i do agree, this is work
darderdor

2 Posts
Same issue, script just quit immediately without any feedback...

any idea ?

I've also tried modifing the path and file name as reported on a previous post but doesn't change.

let me know

best

S
PIST

1 Posts

Sign Up for Free or Log In to start participating in the conversation!