- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
By default, the SSH (Secure Socket Shell or just Secure Shell) protocol uses port 22.
More specifically, an SSH client connects on port 22 to the server running an sshd (SSH Daemon); a listener for the SSH protocol to function.
When an individual attempts logging into your SSH service, your server should be logging attempts to utmp-like files.
Let's go find these logs!
I am seeing these:
We can use a tool by name of utmpdump on these files.
For example:
Understand that on Ubuntu, btmp and lastb will share similar information, compare them (reading one backwards) while lastlog logs (/var/log/lastlog) simply match the lastlog (/usr/bin/lastlog) program name:
Shows me:
This information can be dumped out of these logs, the logs can then be wiped (if wanted) once statistics are collected. Otherwise it is likely the default Linux logrotate settings will start working at your logging files.
To check your logrotate settings simply go here and list files:
An example config we can edit with
I could go on forever about logrotate for example mailing logs and common annoyances if we don't RTFM (read the fucking manual) but we should get back on track to counting out IP addresses with failed logins now!
The utmpdump program allows you to follow appended data as the log is growing
Now anytime someone tries connecting to SSH, I will see the username they supplied right away.
For quick analysis on this information, we want to output/write this file somewhere to parse.
Now let's go look at our new spawnstar dumped log!
Looks pretty damn beautiful, time to parse this fuckin' log - we have done other parsing with bash.
What usernames are being used?
We can sort this for a little more sexy view like
Redundant data, how can we get the counts?
This gives you the real shit you wanted:
If you are anything like me, you know whitespace is basically TOTAL FUCKING AIDS.
Simple fix
And here we have the cleanly presented data on what usernames are most commonly being tried (this is in about 24h, we just launched our new download server):
So having username data is kind of cool, but we probably want to know what hosts are being assholes - give me the IP! Also, thank fuck SSH does not use UDP which would practically allow anyone to flood the piss out of your logs with spoofed IP addresses - oh hell. Some clown tried saying "Let's do SSH UDP," no sir.
Let's just touch the cat again - hehehe.
Okay, stare closely at the [ characters and count them all:
Lazy? Fine h03.
Count the red characters over to the IP address. I counted 6, hopefully we can agree? Just add 1 to that number for the cut command because by default 1 starts on the left side of the character, to get to the right we add the 1.
Pay close attention to the -f 7 part, that is what I meant about adding 1 to the 6 "[" over.
Now we see something like:
This should work, now applying the similar code about counting recurring data:
We now know our noisiest hosts (neighbors) in the IPv4 space; Internet.
Mr. 49.88.112.113 - who the fuck do you think you are?
Oh of course, you are CHINANET jiangsu province network. Just block China, fuck that noise! Haha.. by the way, you really should be hardening your sshd configs to use an alternative port and more secure forms of authentication.
Edit your sshd config
Swap some information like
PermitRootLogin yes ---> PermitRootLogin no
#Port 22 ---> Port 9987
#MaxAuthTries 6 ---> MaxAuthTries 1
#LoginGraceTime 2m ---> LoginGraceTime 1m
#MaxSessions 10 ---> MaxSessions 2
Here are just a couple ways to harden your environment (restart sshd after changing configs via:
More specifically, an SSH client connects on port 22 to the server running an sshd (SSH Daemon); a listener for the SSH protocol to function.
When an individual attempts logging into your SSH service, your server should be logging attempts to utmp-like files.
https://en.wikipedia.org/wiki/Utmp said:utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keep track of all logins and logouts to the system.
Let's go find these logs!
Code:
cd /var/log
ls -la | grep utmp
I am seeing these:
Code:
root@get:/var/log# ls -la | grep utmp
-rw-rw---- 1 root utmp 2193792 Nov 21 15:41 btmp
-rw-rw-r-- 1 root utmp 32412 Nov 21 13:27 lastlog
-rw-rw-r-- 1 root utmp 5760 Nov 21 13:27 wtmp
We can use a tool by name of utmpdump on these files.
For example:
Code:
utmpdump btmp
Understand that on Ubuntu, btmp and lastb will share similar information, compare them (reading one backwards) while lastlog logs (/var/log/lastlog) simply match the lastlog (/usr/bin/lastlog) program name:
Code:
utmpdump btmp
lastb -10
Shows me:
Code:
[6] [31011] [ ] [leil ] [ssh:notty ] [106.52.50.225 ] [106.52.50.225 ] [2019-11-21T15:42:33,000000+00:00]
[6] [31011] [ ] [leil ] [ssh:notty ] [106.52.50.225 ] [106.52.50.225 ] [2019-11-21T15:42:35,000000+00:00]
[6] [31019] [ ] [root ] [ssh:notty ] [222.186.52.78 ] [222.186.52.78 ] [2019-11-21T15:43:10,000000+00:00]
[6] [31019] [ ] [root ] [ssh:notty ] [222.186.52.78 ] [222.186.52.78 ] [2019-11-21T15:43:13,000000+00:00]
[6] [31019] [ ] [root ] [ssh:notty ] [222.186.52.78 ] [222.186.52.78 ] [2019-11-21T15:43:17,000000+00:00]
This information can be dumped out of these logs, the logs can then be wiped (if wanted) once statistics are collected. Otherwise it is likely the default Linux logrotate settings will start working at your logging files.
To check your logrotate settings simply go here and list files:
Code:
/etc/logrotate.d
ls -la
An example config we can edit with
nano nginx
can be shown:
Code:
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi \
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}
I could go on forever about logrotate for example mailing logs and common annoyances if we don't RTFM (read the fucking manual) but we should get back on track to counting out IP addresses with failed logins now!
Code:
cd /var/log
The utmpdump program allows you to follow appended data as the log is growing
Code:
utmpdump btmp -f
Now anytime someone tries connecting to SSH, I will see the username they supplied right away.
For quick analysis on this information, we want to output/write this file somewhere to parse.
Code:
root@get:/var/log# utmpdump btmp -o /root/spawnstar
Now let's go look at our new spawnstar dumped log!
Code:
cd /root/
cat spawnstar
Looks pretty damn beautiful, time to parse this fuckin' log - we have done other parsing with bash.
What usernames are being used?
Code:
cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1
We can sort this for a little more sexy view like
cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1 | sort
.Redundant data, how can we get the counts?
Code:
cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1 | sort | uniq -c | sort -n
This gives you the real shit you wanted:
Code:
10 nagios
10 named
10 oracle
10 support
11 uucp
12 123
12 ching
12 hung
12 lisa
12 web
12 webadmin
12 www
14 apache
14 operator
16 123456
16 gdm
16 http
16 webmaster
16 wwwrun
18 dovecot
18 host
18 rpc
18 squid
20 pcap
22 vcsa
46 backup
66 guest
66 mysql
72 test
90 server
152 admin
1563 root
If you are anything like me, you know whitespace is basically TOTAL FUCKING AIDS.
Simple fix
Code:
cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1 | sort | uniq -c | sort -n | awk '{$1=$1};1'
And here we have the cleanly presented data on what usernames are most commonly being tried (this is in about 24h, we just launched our new download server):
Code:
6 ts3
7 mail
8 daemon
8 ftpuser
8 info
8 nobody
8 postgres
8 ssh
8 ubuntu
8 user
8 wwwadmin
8 www-data
8 yoyo
10 asterisk
10 bin
10 hadoop
10 home
10 ident
10 nagios
10 named
10 oracle
10 support
11 uucp
12 123
12 ching
12 hung
12 lisa
12 web
12 webadmin
12 www
14 apache
14 operator
16 123456
16 gdm
16 http
16 webmaster
16 wwwrun
18 dovecot
18 host
18 rpc
18 squid
20 pcap
22 vcsa
46 backup
66 guest
66 mysql
72 test
90 server
152 admin
1563 root
So having username data is kind of cool, but we probably want to know what hosts are being assholes - give me the IP! Also, thank fuck SSH does not use UDP which would practically allow anyone to flood the piss out of your logs with spoofed IP addresses - oh hell. Some clown tried saying "Let's do SSH UDP," no sir.
Let's just touch the cat again - hehehe.
Code:
cat spawnstar
Okay, stare closely at the [ characters and count them all:
Code:
[6] [31151] [ ] [root ] [ssh:notty ] [222.186.52.78 ] [222.186.52.78 ] [2019-11-21T15:57:02,000000+00:00]
Lazy? Fine h03.
Code:
cat spawnstar | grep "\["
Pay close attention to the -f 7 part, that is what I meant about adding 1 to the 6 "[" over.
Code:
cat spawnstar | cut -d "[" -f 7 | cut -d "]" -f 1
Now we see something like:
Code:
40.83.184.32
112.217.207.130
112.217.207.130
182.61.136.53
129.226.67.136
222.186.52.78
222.186.52.78
222.186.52.78
This should work, now applying the similar code about counting recurring data:
Code:
cat spawnstar | cut -d "[" -f 7 | cut -d "]" -f 1 | sort | uniq -c | sort -n | awk '{$1=$1};1'
We now know our noisiest hosts (neighbors) in the IPv4 space; Internet.
Code:
93 80.211.13.167
93 83.48.89.147
94 104.236.252.162
95 106.12.82.70
97 185.49.86.54
98 103.40.235.233
98 182.75.248.254
99 52.176.110.203
100 157.230.63.232
100 89.222.181.58
101 96.30.160.186
129 94.23.25.77
167 41.77.145.34
277 222.186.52.78
715 49.88.112.113
Mr. 49.88.112.113 - who the fuck do you think you are?
49.88.112.113 IP Address Details - IPinfo.io
Full IP address details for 49.88.112.113 (AS4134 CHINANET-BACKBONE) including geolocation and map, hostname, and API details.
ipinfo.io
Oh of course, you are CHINANET jiangsu province network. Just block China, fuck that noise! Haha.. by the way, you really should be hardening your sshd configs to use an alternative port and more secure forms of authentication.
Edit your sshd config
Code:
nano /etc/ssh/sshd_config
Swap some information like
PermitRootLogin yes ---> PermitRootLogin no
#Port 22 ---> Port 9987
#MaxAuthTries 6 ---> MaxAuthTries 1
#LoginGraceTime 2m ---> LoginGraceTime 1m
#MaxSessions 10 ---> MaxSessions 2
Here are just a couple ways to harden your environment (restart sshd after changing configs via:
service sshd restart
), you may certainly explore more hardening options and even look into Fail2Ban for protecting SSH.
Last edited: