Re: `tattle` -- automatic reporting of SSH brute-force attacks

To: "C.J. Steele, CISSP" <coreyjsteele@xxxxxxxxx>
Subject: Re: `tattle` -- automatic reporting of SSH brute-force attacks
From: Anders Henke <anders@xxxxxxxxxx>
Date: Tue, 7 Jun 2005 13:33:20 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20050605044607.34971.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Schlund + Partner AG
References: <20050605044607.34971.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.5.1i

On June 4th 2005, C.J. Steele, CISSP wrote:
> Inspired by a post to the SANS Intrusions list, I have written `tattle`
> to automate the reporting of SSH brute-force attacks.  
> 
> `tattle` is a perl script that crawls through your sshd logs
> (/var/log/messages, or wherever you tell it to look) and finds hosts
> who've connected to your SSH server.  All hosts who connect to your
> box, and that are not accounted for in the exception list, are reported
> to the point-of-contact for the domain the host is registered too
> (where available.)  Long story-short, if you stick `tattle` in your
> cron-tab, you can automate the reporting of ssh brute-force attacks.  

Well meant, but the implementation raises a few important issues:

-"my $whois = `/usr/bin/whois $tld`;"  isn't really secure
 and literally cries for some exploit. There are enough
 perl modules to resolve this issue, e.g. Net::Whois or Net::XWhois

-the reverse dns isn't verified by a lookup on forward dns.
 So if an attacker has control over his reverse dns (popular 
 problem with hosting companies of dedicated servers), he can easily 
 spoof the reverse dns in order to point to a completely
 unrelated company (who are likely to ignore your reports).

 Whois on the IP adress is likely to give you a much better information
 on whom to notify about abuse, as that way you'll usually notify the 
 abuser's ISP instead of possibly the abusing user himself.

-getemails() literally grabs =any= email adress returned from 
 the domains whois-records. 

 Whois records often do list much more than the merely the adress 
 for reporting abuse like e.g. the domain's registrar, an adress for 
 billing contact of the domain and sometimes even the list of users
 who changed this records's whois data.

 So from my point of view, the script is simply spewing abuse reports
 to much more than the right people (and probably even not the right
 ones). Some people believe this to be a fair way, but always keep 
 in mind that the abuser's ISP is not your enemy, increasing their workload
 by sending them the same complaint multiple times and offending them by
 spamming abuse reports to unrelated staff is not likely to increase the 
 chances of well-done LARTs.

The two later issues can be easily solved by querying the whois 
service at whois.cyberabuse.org using the IP adress of the offender.
cyberabuse.org does take quite a lot of efforts in order to 
give you (only) the correct email adress to report abuse to,
regardless of the IP-assigning registry and their individual 
whois output.

Regards,

Anders
-- 
Schlund + Partner AG              Security
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225

References:
- `tattle` -- automatic reporting of SSH brute-force attacks
  - From: C.J. Steele, CISSP

Prev by Date: Re: `tattle` -- automatic reporting of SSH brute-force attacks
Next by Date: drone armies C&C report - May/2005
Previous by thread: Re: `tattle` -- automatic reporting of SSH brute-force attacks
Next by thread: SQL Injection Exploit for Portail PHP < 1.3
Index(es):
- Date
- Thread