Hacked - FreeBSD 7.1-Release

Ian Smith smithi at nimnet.asn.au
Sat Jan 2 10:01:43 UTC 2010 

On Thu, 31 Dec 2009, Jeremy Chadwick wrote:
 > On Thu, Dec 31, 2009 at 04:16:07AM +1100, Ian Smith wrote:
 > > On Tue, 29 Dec 2009, David Wolfskill wrote:
 > >  > On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
 > >  > > ...
 > >  > > I've written my own script to do all of this.  It parses periodic
 > >  > > security mails (on a daily basis), and does WHOIS lookups + parses the
 > >  > > results to tell me what netblocks/CIDRs I should consider blocking.  For
 > >  > > example, for a security mail that contains this:
 > >  > > 
 > >  > > horus.sc1.parodius.com login failures:
 > >  > > Dec 28 15:54:49 horus sshd[74684]: Failed password for root from 199.71.214.240 port 51197 ssh2
 > >  > > Dec 28 15:54:49 horus sshd[74686]: Invalid user test from 199.71.214.240
 > >  > > Dec 28 18:39:24 horus sshd[84742]: Failed password for root from 208.94.235.248 port 42979 ssh2
 > >  > > Dec 28 18:39:25 horus sshd[84744]: Failed password for root from 208.94.235.248 port 43056 ssh2
 > >  > > Dec 28 18:39:25 horus sshd[84746]: Failed password for root from 208.94.235.248 port 43156 ssh2
 > >  > > Dec 28 18:39:26 horus sshd[84749]: Failed password for root from 208.94.235.248 port 43265 ssh2
 > >  > > Dec 28 18:39:27 horus sshd[84751]: Failed password for root from 208.94.235.248 port 43356 ssh2
 > >  > > 
 > >  > > The script would output the following:
 > >  > > 
 > >  > > 199.71.214.240
 > >  > >         199.71.212.0/22        Psychz Networks, Walnut, CA, US
 > >  > > 208.94.235.248
 > >  > >         208.94.232.0/22        WZ Communications Inc., Madison, WI, US
 > >  > >         208.94.235.0/24        Soft-Com.biz, Inc., Panama, NA, PA
 > > 
 > > Jeremy, care to share your whois lookup / parsing script for this?
 > 
 > Sure.  It's a combination of two scripts which I call "parse_ssh_deny"
 > (sh) and "lookup" (perl).  How I use them: I get "security run output"
 > mails from periodic every night, and use mutt to save them (one per
 > server) to a single file, which I pipe to "parse_ssh_deny", resulting in
 > the above output.
 > 
 > I read the output by hand and decide manually what to put into
 > pf.conf.ssh-deny.

Thanks for this, very helpful.  Perhaps for others too.

 > I'll note that some of the servers are multi-user, so users mistyping
 > their password is common -- I specifically exclude that error message
 > from the awk line in "parse_ssh_deny" because I don't want legitimate
 > users potentially blocked.  People should tune the script based on their
 > needs though.
 > 
 > The "lookup" perl script uses whois(1) with specific arguments to get
 > back results from ARIN, and then parses the results.  Sometimes WHOIS
 > records don't have certain details (country code, city, state, etc.),
 > and other times they do.  The script tries to handle all of those.

Many of my lookups, often done adhoc while browsing various logs, are as 
likely to be via APNIC and other RIRs, all of which have differences in 
format to some extent; I'll have to play with all this when there's a 
bit more time.

 > The reason I chose to parse whois(1) output rather than using something
 > like Net::Whois or Net::Whois::IP is because I prefer self-contained
 > scripts (unless there's sufficient justification for reliance on such
 > third-party code); plus I didn't particularly like either of these perl
 > modules.

Yes I prefer using the base tools too.  I often find lots of perl code 
close to unreadable, but yours couldn't be clearer.  David Wolfskill 
sent some more useful clues too.  Thanks again, guys.

cheers, Ian


 > parse_ssh_deny
 > ================
 > #!/bin/sh
 > for i in `awk '/Failed password for root/ {print $11} /Failed password for invalid user .+ from/ {print $13} /Invalid user/ {print $NF}' | sort -u -n`
 > do
 > 	lookup "$i"
 > done
 > 
 > 
 > lookup
 > ========
 > #!/usr/local/bin/perl
 > use strict;
 > use warnings;
 > 
 > # $ whois -a "+ 67.205.112.200" | egrep '^CustName|OrgName|CIDR'
 > # OrgName:    iWeb Technologies Inc.
 > # CIDR:       67.205.64.0/18
 > # CustName:   iWeb Dedicated CL2
 > # CIDR:       67.205.112.192/27
 > 
 > my $lookup = shift or die "Usage: $0 ip\n";
 > 
 > my ($name, $city, $state, $cc, $cidr) = undef;
 > 
 > print $lookup, "\n";
 > 
 > open(FH, "whois -a '+ $lookup' |") or die;
 > while(<FH>)
 > {
 >   $name  = $2	if (m#^(CustName|OrgName):\s+(.+)#);
 >   $city  = $1	if (m#^City:\s+(.+)#);
 >   $state = $1	if (m#^StateProv:\s+(.+)#);
 >   $cc    = $1	if (m#^Country:\s+(.+)#);
 >   $cidr  = $1	if (m#^CIDR:\s+([\d\./]+)#);
 > 
 >   if ($name and $cidr)
 >   {
 > 	$city  = $city  || '<?>';
 > 	$state = $state || '<?>';
 > 	$cc    = $cc    || '<?>';
 > 
 > 	printf "\t%-23s", $cidr;
 > 	print join(", ", $name, $city, $state, $cc);
 > 	print "\n";
 > 	($name, $city, $state, $cc, $cidr) = undef;
 > 	next;
 >   }
 > }
 > close(FH);
 > 
 > 
 > -- 
 > | Jeremy Chadwick                                   jdc at parodius.com |
 > | Parodius Networking                       http://www.parodius.com/ |
 > | UNIX Systems Administrator                  Mountain View, CA, USA |
 > | Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list