We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system. To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl . The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters"). For data we are collecting so far, see https://isc.sans.edu/ssh.html . If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client. By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets. --- Johannes B. Ullrich, Ph.D. |
Johannes 4504 Posts ISC Handler Jul 23rd 2014 |
Thread locked Subscribe |
Jul 23rd 2014 7 years ago |
How about adding a top ten ssh brute forcing attackers by IP listing? (Or is that tacky?)
|
jbmoore 11 Posts |
Quote |
Jul 23rd 2014 7 years ago |
sure. I think it makes sense to add this.
|
Johannes 4504 Posts ISC Handler |
Quote |
Jul 24th 2014 7 years ago |
Cool. From the logs, we know what standard username were used. We just do not know what passwords were used.
Possible to create a similar tool for WordPress? We had a few WordPress sites that are subject to brute force login attempts daily. |
Mike7 43 Posts |
Quote |
Jul 24th 2014 7 years ago |
I've been using a bash script to generate reports based off hosts that are denied by denyhosts.
http://denyhosts.sourceforge.net/ https://github.com/jtdub/ssh_attack_report |
Mike7 1 Posts |
Quote |
Jul 24th 2014 7 years ago |
This is cool. I am using my honeypots to capture these data and sometimes there are very interesting results. I am using my own database and export mechanisms, but I think I should be able to use your API and contribute to your project.
Apart from SSH, I have succesfully captured brute-force attacks against Telnet, POP3, and FTP using scripts for honeyd low-interaction honeypot. POP3 sometimes faced as many brute-force attacks as SSH. It is interesting to compare dictionaries used against different services. |
husakm 1 Posts |
Quote |
Jul 24th 2014 7 years ago |
Hi,
I am trying to use the script on my server and I am seeing following message when I submit the kippo log (./kippodshield.pl < kippo.log) Submitting Log Lines: 1 Bytes: 48 ERROR: Size Mismatch ERROR: SHA1 Mismatch 32ba1ded0aedb64b48e87c779655a26c2ab7fa56 ERROR: MD5 Mismatch a149c7af6e75bf2f347b525ada2f3950 --- OS is Sci Linux 6.x |
Anonymous |
Quote |
Jul 24th 2014 7 years ago |
Sorry, it's taken care of. Didn't remove the square brackets for userid and key. Was able to submit fine after modification.
Submitting Log Lines: 1 Bytes: 48 Size OK SHA1 OK MD5 OK Thanks. |
Anonymous |
Quote |
Jul 24th 2014 7 years ago |
I'm getting the hash mismatch errors too. I'm using Ubuntu Server 14.04.
|
KPryor 10 Posts |
Quote |
Jul 24th 2014 7 years ago |
Removing the brackets fixed it for me too.
|
KPryor 10 Posts |
Quote |
Jul 24th 2014 7 years ago |
is still active this project?
i cannot see https://isc.sans.edu/ssh.html page once i logged on |
AndreaConsadori 2 Posts |
Quote |
Jan 22nd 2015 7 years ago |
Quoting AndreaConsadori:is still active this project? Yes, indeed it is still active. If you reach an error page, it simply means that our database is too busy at that moment. However, thank you for bringing this to our attention, I am going to work on increasing the availability of this page. |
Alex Stanford 136 Posts |
Quote |
Jan 22nd 2015 7 years ago |
Quoting AndreaConsadori:is still active this project? Yes, indeed it is still active. If you reach an error page, it simply means that our database is too busy at that moment. However, thank you for bringing this to our attention, I am going to work on increasing the availability of this page. |
Alex Stanford 136 Posts |
Quote |
Jan 22nd 2015 7 years ago |
i try but 50% of times it gave me timeout
Submitting Log Lines: 1220 Bytes: 65476 500 read timeout at ./kippodshiled.pl line 130. and i cannot see log under my report |
AndreaConsadori 2 Posts |
Quote |
Jan 23rd 2015 7 years ago |
I had to modify the perl script, just a little bit. "my $SSLCAPath='/etc/ssl/certs';" wasn't working for me. I run Fedora, and modified it to point to /etc/pki/tls/certs (as that is where Fedora puts its ca-bundle.crt). Still wouldn't work for me.
Had to modify the code, just a little bit, created a new variable, "my $SSLFilePath", and pointed it at the actual ca-bundle.crt file (/etc/pki/tls/certs/ca-bundle.crt, if you use Fedora). Then lower in the code, changed the line that used the $SSLCAPath to: $ua->ssl_opts(SSL_ca_file=>$SSLCAFile); |
MikeDawg 4 Posts |
Quote |
Apr 27th 2015 7 years ago |
Is this still supported? I have just added this script to my cowrie honeypot and executed it. The script didn't tell me if it was successful or not so i'm waiting to see if the logs pop up in my reports.
|
Ender 4 Posts |
Quote |
Feb 22nd 2016 6 years ago |
I'm trying to get this running on Debian 8 and I'm getting no feedback from the script at all.... it just runs and returns to the shell. If I were to try to run the script without piping the log file to it it just hangs. I suspect that I'm missing some perl modules or some other dependency but I can't locate any list of dependencies. I also note that in the script it references base64 so perhaps running on a 32 bit host is the problem?
|
bblboy54 1 Posts |
Quote |
Mar 13th 2016 6 years ago |
i do agree, this is work
|
darderdor 2 Posts |
Quote |
Dec 9th 2016 5 years ago |
Same issue, script just quit immediately without any feedback...
any idea ? I've also tried modifing the path and file name as reported on a previous post but doesn't change. let me know best S |
PIST 1 Posts |
Quote |
May 2nd 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!