My next class:

New Feature: "Live" SSH Brute Force Logs and New Kippo Client

Published: 2014-07-23. Last Updated: 2014-07-23 12:33:07 UTC
by Johannes Ullrich (Version: 1)
19 comment(s)

We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system.

To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl .

The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters").

For data we are collecting so far, see https://isc.sans.edu/ssh.html .

If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client.

By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets.

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: brute forcing kippo ssh
19 comment(s)
My next class:

Comments

How about adding a top ten ssh brute forcing attackers by IP listing? (Or is that tacky?)

Anonymous

Jul 23rd 2014
1 decade ago

sure. I think it makes sense to add this.

Anonymous

Jul 24th 2014
1 decade ago

Cool. From the logs, we know what standard username were used. We just do not know what passwords were used.



Possible to create a similar tool for WordPress?
We had a few WordPress sites that are subject to brute force login attempts daily.

Anonymous

Jul 24th 2014
1 decade ago

I've been using a bash script to generate reports based off hosts that are denied by denyhosts.

http://denyhosts.sourceforge.net/

https://github.com/jtdub/ssh_attack_report

Anonymous

Jul 24th 2014
1 decade ago

This is cool. I am using my honeypots to capture these data and sometimes there are very interesting results. I am using my own database and export mechanisms, but I think I should be able to use your API and contribute to your project.

Apart from SSH, I have succesfully captured brute-force attacks against Telnet, POP3, and FTP using scripts for honeyd low-interaction honeypot. POP3 sometimes faced as many brute-force attacks as SSH. It is interesting to compare dictionaries used against different services.

Anonymous

Jul 24th 2014
1 decade ago

Hi,
I am trying to use the script on my server and I am seeing following message when I submit the kippo log (./kippodshield.pl < kippo.log)

Submitting Log
Lines: 1 Bytes: 48

ERROR: Size Mismatch

ERROR: SHA1 Mismatch 32ba1ded0aedb64b48e87c779655a26c2ab7fa56

ERROR: MD5 Mismatch a149c7af6e75bf2f347b525ada2f3950
---

OS is Sci Linux 6.x

Anonymous

Jul 24th 2014
1 decade ago

Sorry, it's taken care of. Didn't remove the square brackets for userid and key. Was able to submit fine after modification.

Submitting Log
Lines: 1 Bytes: 48
Size OK SHA1 OK MD5 OK

Thanks.

Anonymous

Jul 24th 2014
1 decade ago

I'm getting the hash mismatch errors too. I'm using Ubuntu Server 14.04.

Anonymous

Jul 24th 2014
1 decade ago

Removing the brackets fixed it for me too.

Anonymous

Jul 24th 2014
1 decade ago

is still active this project?

i cannot see https://isc.sans.edu/ssh.html page once i logged on

Anonymous

Jan 22nd 2015
9 years ago

Login here to join the discussion.


Top of page
Diary Archives