Re: `tattle` -- automatic reporting of SSH brute-force attacks
On June 4th 2005, C.J. Steele, CISSP wrote:
> Inspired by a post to the SANS Intrusions list, I have written `tattle`
> to automate the reporting of SSH brute-force attacks.
>
> `tattle` is a perl script that crawls through your sshd logs
> (/var/log/messages, or wherever you tell it to look) and finds hosts
> who've connected to your SSH server. All hosts who connect to your
> box, and that are not accounted for in the exception list, are reported
> to the point-of-contact for the domain the host is registered too
> (where available.) Long story-short, if you stick `tattle` in your
> cron-tab, you can automate the reporting of ssh brute-force attacks.
Well meant, but the implementation raises a few important issues:
-"my $whois = `/usr/bin/whois $tld`;" isn't really secure
and literally cries for some exploit. There are enough
perl modules to resolve this issue, e.g. Net::Whois or Net::XWhois
-the reverse dns isn't verified by a lookup on forward dns.
So if an attacker has control over his reverse dns (popular
problem with hosting companies of dedicated servers), he can easily
spoof the reverse dns in order to point to a completely
unrelated company (who are likely to ignore your reports).
Whois on the IP adress is likely to give you a much better information
on whom to notify about abuse, as that way you'll usually notify the
abuser's ISP instead of possibly the abusing user himself.
-getemails() literally grabs =any= email adress returned from
the domains whois-records.
Whois records often do list much more than the merely the adress
for reporting abuse like e.g. the domain's registrar, an adress for
billing contact of the domain and sometimes even the list of users
who changed this records's whois data.
So from my point of view, the script is simply spewing abuse reports
to much more than the right people (and probably even not the right
ones). Some people believe this to be a fair way, but always keep
in mind that the abuser's ISP is not your enemy, increasing their workload
by sending them the same complaint multiple times and offending them by
spamming abuse reports to unrelated staff is not likely to increase the
chances of well-done LARTs.
The two later issues can be easily solved by querying the whois
service at whois.cyberabuse.org using the IP adress of the offender.
cyberabuse.org does take quite a lot of efforts in order to
give you (only) the correct email adress to report abuse to,
regardless of the IP-assigning registry and their individual
whois output.
Regards,
Anders
--
Schlund + Partner AG Security
Brauerstrasse 48 v://49.721.91374.50
D-76135 Karlsruhe f://49.721.91374.225