lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050607113320.GO27668@schlund.de>
Date: Tue, 7 Jun 2005 13:33:20 +0200
From: Anders Henke <anders@...lund.de>
To: "C.J. Steele, CISSP" <coreyjsteele@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: `tattle` -- automatic reporting of SSH brute-force attacks


On June 4th 2005, C.J. Steele, CISSP wrote:
> Inspired by a post to the SANS Intrusions list, I have written `tattle`
> to automate the reporting of SSH brute-force attacks.  
> 
> `tattle` is a perl script that crawls through your sshd logs
> (/var/log/messages, or wherever you tell it to look) and finds hosts
> who've connected to your SSH server.  All hosts who connect to your
> box, and that are not accounted for in the exception list, are reported
> to the point-of-contact for the domain the host is registered too
> (where available.)  Long story-short, if you stick `tattle` in your
> cron-tab, you can automate the reporting of ssh brute-force attacks.  

Well meant, but the implementation raises a few important issues:

-"my $whois = `/usr/bin/whois $tld`;"  isn't really secure
 and literally cries for some exploit. There are enough
 perl modules to resolve this issue, e.g. Net::Whois or Net::XWhois

-the reverse dns isn't verified by a lookup on forward dns.
 So if an attacker has control over his reverse dns (popular 
 problem with hosting companies of dedicated servers), he can easily 
 spoof the reverse dns in order to point to a completely
 unrelated company (who are likely to ignore your reports).

 Whois on the IP adress is likely to give you a much better information
 on whom to notify about abuse, as that way you'll usually notify the 
 abuser's ISP instead of possibly the abusing user himself.

-getemails() literally grabs =any= email adress returned from 
 the domains whois-records. 

 Whois records often do list much more than the merely the adress 
 for reporting abuse like e.g. the domain's registrar, an adress for 
 billing contact of the domain and sometimes even the list of users
 who changed this records's whois data.

 So from my point of view, the script is simply spewing abuse reports
 to much more than the right people (and probably even not the right
 ones). Some people believe this to be a fair way, but always keep 
 in mind that the abuser's ISP is not your enemy, increasing their workload
 by sending them the same complaint multiple times and offending them by
 spamming abuse reports to unrelated staff is not likely to increase the 
 chances of well-done LARTs.

The two later issues can be easily solved by querying the whois 
service at whois.cyberabuse.org using the IP adress of the offender.
cyberabuse.org does take quite a lot of efforts in order to 
give you (only) the correct email adress to report abuse to,
regardless of the IP-assigning registry and their individual 
whois output.


Regards,

Anders
-- 
Schlund + Partner AG              Security
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ