Skip to main content

Checking auth.log for ssh brute force attacks

As I am letting my personal computer always on, as a homelinux server, I decided to check if someone is trying to breaking in with SSH brute force attacks.

First I did a grep for fail at the /var/log/auth.log. (grep -i /var/log/auth.log)

And I got lots of lines with the string "fail". With [grep -i /var/log/auth.log | wc -l] I figured out that were 1164 fail entries at auth.log

With an [grep -i fail auth.log | cut -d " " -f 6 | sort | uniq] I checked that were two kind of failed attempts:
Failed
pam_unix(sshd:auth):

So I wrote the following line to check with which users they were attempting to log:
grep Failed auth.log | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; grep $line auth.log | wc -l; done | sort -n -k 2

Here, the field position (the number 11 at the above command lines [-f 11]) may change in some systems. At my desktop at work, the username came at the position 9.

Here are the "top ten":
root 2922
user 2884
test 30
oracle 26
admin 22
mythtv 12
user1 6
teste 4
silentios 4
setup 4

Iauch! 2922 attempts! Luckily I always change my SSH config to not permit root logons.

At the /etc/ssh/sshd_config, PermitRootLogin no
And a good habit is to add a last AllowUsers line, followed by the usernames enabled to log trough SSH.

As most unixes do log rotation with gzip, the line above can be changed to zgrep all auth logs as follows:
zgrep Failed auth.log* | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; zgrep Failed auth.log* | grep $line | wc -l; done | sort -n -k 2

This particular line took me around 4 minutes running. After that, it came with a list with 676 diferent users which attemped to log with ssh in my host.

Here are the top 50:
w 9707
u 9707
t 9707
sshd 9707
ssh 9707
s 9707
r 9707
p 9707
o 9707
m 9707
log 9707
l 9707
k 9707
i 9707
h 9707
g 9707
f 9707
ed 9707
e 9707
desktop 9707
d 9707
am 9707
a 9707
v 9706
user 9706
n 9706
id 9706
z 8419
c 6818
root 2322
y 840
b 677
j 381
test 319
adm 268
admin 253
at 222
x 189
it 167
q 134
ftp 124
mail 113
web 102
postgres 79
mysql 78
mini 74
suporte 71
guest 67
pop 65
oracle 62

Comments

  1. Some useful shell scripts here. Am looking to log and graph the attacks on my box for display.

    thanks

    ReplyDelete

Post a Comment

Popular posts from this blog

uSleep on windows (win32)

I am facing a terrible issue regarding timing on windows.

Googling arround, I've found those infos:
Using QueryPerformanceCounter and QueryPerformanceFrequency APIs in Dev-C++
(http://yeohhs.blogspot.com/2005/08/using-queryperformancecounter-and_13.html)
QueryPerformanceCounter() vs. GetTickCount()
http://www.delphifaq.com/faq/delphi_windows_API/f345.shtml
How to time a block of code
http://www.cryer.co.uk/brian/delphi/howto_time_code.htm
And Results of some quick research on timing in Win32 http://www.geisswerks.com/ryan/FAQS/timing.html
With that I'm trying to write something like a uSleep function for windows:


#include<windows.h>

voiduSleep(int waitTime){
__int64 time1 = 0, time2 = 0, sysFreq = 0;

QueryPerformanceCounter((LARGE_INTEGER *)&time1);
QueryPerformanceFrequency((LARGE_INTEGER *)&freq);
do{
QueryPerformanceCounter((LARGE_INTEGER *)&time2);

// }while((((time2-time1)*1.0)/sysFreq)<waitTime);
}while( (time2-time1) <waitTime);
}

There is also already a nanosleep…

More trickery with gnuplot dumb terminal

In my post "Plotting memory usage on console" the chart doesn't pan the data.
Now, using a named pipe, the effect got a little bit nicer.
First, we have to run the memUsage.sh script to get a file filled with memory usage info:
./memUsage.sh > memUsage.dat &
Then we have to create a named pipe:
mkfifo pipe
Now we have to run another process to tail only the last 64 lines from the memUsage.dat
while [ 1 ]; do tail -64 memUsage.dat> pipe; done &
And now we just have to plot the data from the pipe:
watch -n 1 'gnuplot -e "set terminal dumb;p \"pipe\" with lines"'
And that is it!