Site Navigation

Date:      Thu, 31 Dec 2009 06:21:44 -0800
From:      Jeremy Chadwick <freebsd@jdc.parodius.com>
To:        freebsd-stable@freebsd.org
Subject:   Re: Hacked - FreeBSD 7.1-Release
Message-ID:  <20091231142144.GA742@icarus.home.lan>
In-Reply-To: <20091230171341.E81420@sola.nimnet.asn.au>
References:  <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com> <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <ce92ed41260c438977298c2cf9dd1e3f.HRCIM@webmail.1command.com> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <8bdcbc5f08e9b762c3d2dcfe2fd00558.HRCIM@webmail.1command.com> <6201873e0912281550w34937b9eg3498547722739aee@mail.gmail.com> <20091229112037.GA34719@icarus.home.lan> <20091229171432.GN470@bunrab.catwhisker.org> <20091230171341.E81420@sola.nimnet.asn.au>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Thu, Dec 31, 2009 at 04:16:07AM +1100, Ian Smith wrote:
> On Tue, 29 Dec 2009, David Wolfskill wrote:
>  > On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
>  > > ...
>  > > I've written my own script to do all of this.  It parses periodic
>  > > security mails (on a daily basis), and does WHOIS lookups + parses the
>  > > results to tell me what netblocks/CIDRs I should consider blocking.  For
>  > > example, for a security mail that contains this:
>  > > 
>  > > horus.sc1.parodius.com login failures:
>  > > Dec 28 15:54:49 horus sshd[74684]: Failed password for root from 199.71.214.240 port 51197 ssh2
>  > > Dec 28 15:54:49 horus sshd[74686]: Invalid user test from 199.71.214.240
>  > > Dec 28 18:39:24 horus sshd[84742]: Failed password for root from 208.94.235.248 port 42979 ssh2
>  > > Dec 28 18:39:25 horus sshd[84744]: Failed password for root from 208.94.235.248 port 43056 ssh2
>  > > Dec 28 18:39:25 horus sshd[84746]: Failed password for root from 208.94.235.248 port 43156 ssh2
>  > > Dec 28 18:39:26 horus sshd[84749]: Failed password for root from 208.94.235.248 port 43265 ssh2
>  > > Dec 28 18:39:27 horus sshd[84751]: Failed password for root from 208.94.235.248 port 43356 ssh2
>  > > 
>  > > The script would output the following:
>  > > 
>  > > 199.71.214.240
>  > >         199.71.212.0/22        Psychz Networks, Walnut, CA, US
>  > > 208.94.235.248
>  > >         208.94.232.0/22        WZ Communications Inc., Madison, WI, US
>  > >         208.94.235.0/24        Soft-Com.biz, Inc., Panama, NA, PA
> 
> Jeremy, care to share your whois lookup / parsing script for this?

Sure.  It's a combination of two scripts which I call "parse_ssh_deny"
(sh) and "lookup" (perl).  How I use them: I get "security run output"
mails from periodic every night, and use mutt to save them (one per
server) to a single file, which I pipe to "parse_ssh_deny", resulting in
the above output.

I read the output by hand and decide manually what to put into
pf.conf.ssh-deny.

I'll note that some of the servers are multi-user, so users mistyping
their password is common -- I specifically exclude that error message
from the awk line in "parse_ssh_deny" because I don't want legitimate
users potentially blocked.  People should tune the script based on their
needs though.

The "lookup" perl script uses whois(1) with specific arguments to get
back results from ARIN, and then parses the results.  Sometimes WHOIS
records don't have certain details (country code, city, state, etc.),
and other times they do.  The script tries to handle all of those.

The reason I chose to parse whois(1) output rather than using something
like Net::Whois or Net::Whois::IP is because I prefer self-contained
scripts (unless there's sufficient justification for reliance on such
third-party code); plus I didn't particularly like either of these perl
modules.


parse_ssh_deny
================
#!/bin/sh
for i in `awk '/Failed password for root/ {print $11} /Failed password for invalid user .+ from/ {print $13} /Invalid user/ {print $NF}' | sort -u -n`
do
	lookup "$i"
done


lookup
========
#!/usr/local/bin/perl
use strict;
use warnings;

# $ whois -a "+ 67.205.112.200" | egrep '^CustName|OrgName|CIDR'
# OrgName:    iWeb Technologies Inc.
# CIDR:       67.205.64.0/18
# CustName:   iWeb Dedicated CL2
# CIDR:       67.205.112.192/27

my $lookup = shift or die "Usage: $0 ip\n";

my ($name, $city, $state, $cc, $cidr) = undef;

print $lookup, "\n";

open(FH, "whois -a '+ $lookup' |") or die;
while(<FH>)
{
  $name  = $2	if (m#^(CustName|OrgName):\s+(.+)#);
  $city  = $1	if (m#^City:\s+(.+)#);
  $state = $1	if (m#^StateProv:\s+(.+)#);
  $cc    = $1	if (m#^Country:\s+(.+)#);
  $cidr  = $1	if (m#^CIDR:\s+([\d\./]+)#);

  if ($name and $cidr)
  {
	$city  = $city  || '<?>';
	$state = $state || '<?>';
	$cc    = $cc    || '<?>';

	printf "\t%-23s", $cidr;
	print join(", ", $name, $city, $state, $cc);
	print "\n";
	($name, $city, $state, $cc, $cidr) = undef;
	next;
  }
}
close(FH);


-- 
| Jeremy Chadwick                                   jdc@parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091231142144.GA742>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact