Re: [HS] Attaque dictionnaire distribuée sur serveur ssh.
François Boisson a écrit :
Moi c'est assez primaire:
Script général
J'ai adapté à mes logs, du genre
Dec 1 03:56:47 h5 sshd[1154]: Failed password for root from 93.62.0.122 port 10058 ssh2
Dec 2 14:22:01 h5 sshd[14234]: Failed password for invalid user nicoara from 80.87.64.115 port 60029 ssh2
grep 'Failed password for ' /var/log/auth.log.0 >/tmp/SSH_douteux
grep 'Failed password for ' /var/log/auth.log>>/tmp/SSH_douteux
# on récupère la liste d'ip
awk '/Failed password for invalid user/ {print $13} /Failed password for root/ {print $11}' < /tmp/SSH_douteux |sort -u > /tmp/SSH_ips
# et on veut les fqdn
while read ip; do echo "$ip $(host $ip)"; done </tmp/SSH_ips >/tmp/SSH_ips_fqdn
# ceux qui en ont un
awk '/domain name pointer/ {print $1" "$6}' < /tmp/SSH_ips_fqdn > /tmp/SSH_ips_fqdn_trouves
# Ensuite, on veut le FAI
awk -F . '{
ip=$1"."$2"."$3"."$4;
if ($NF=="arpa") {next}
if ($NF=="") {itld=NF-1}
else {itld=NF}
if ($(itld - 1)=="com" || $(itld - 1) == "net" || $(itld - 1)"."$itld=="co.uk") {print ip" "$(itld-2)"."$(itld-1)"."$itld}
else {print ip" "$(itld-1)"."$(itld)}
}' < /tmp/SSH_ips_fqdn_trouves |sort -k 2 > /tmp/SSH_ip_FAI
Il reste un bug car j'ai
$ head /tmp/SSH_ip_FAI
117.18.224.147 ns2 mycitycell.com
121.243.0.153 121 vsnl.net.in
123.220.252.2 p58002-ipbffx02marunouchi ne.jp
125.64.96.186 186 163data.com.cn
140.128.127.224 pc224 edu.tw
143.239.159.63 student ucc.ie
63.159.239.143 in-addr.arpa
150.185.222.163 vibora luz.ve
163.222.185.150 in-addr.arpa
152.104.125.13 static-ip-13-125-104-152 dyxnet.com
Plus trop le temps ce soir... on verra p't' demain (plutôt semaine prochaine).
--
Daniel
Reply to: