Fun with Splunk: SSHD
Thought I'd share a bit on the tip of the iceberg, on what can be done with Splunk. Linux command line tools are still much needed for raw log analysis (since we can't have the luxury of having a Splunk installation around and ready whenever we need it), but if setup and running properly, Splunk can be pretty helpful (and not to mention faster) for some things.
(This post is pretty unpolished, partly because I can't be bothered to fiddle around with fitting the search strings into the width of the post, etc. Nonetheless, comments/discussions are always welcome heh)
One of my favourite tasks with log analysis is to get information on those people/bots which are brute forcing SSHD, so let's start with SSH attacks as an example.
SSH brute force namelist
It's weird, but therapeutic to see what kind of data has been gathered from the public server...
Today's feature: the list of user IDs that has been used to attempt brute forcing on ssh till date! *drum roll*
From the looks of this list, some of these people/botnet operators think I'm German/Spanish/Japanese. Really weird, or these botnets are just whacking away without using the correct wordlist.
00089 0123456789 a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa Aadolf Aaliyah Aamu Aapeli aaron Aaron aarti abby abcs abel admin administrator adolfo agata alberto alexandre alexis alias amministratore ana andrew angel anthony anti art arthur backuppc bang bb benjie bind bob bond brian caja cameron candie candy carey cargan carina carissa carl carla carlo carrie cgarcia cgi-bin cis42 cisco clement conter coo cristi cristian cristina cristinel cs cvsroot da damian dasusr1 dati dave db2fenc1 db2inst1 desiree director djeli dk dke dl dle dm dmaac dme dmitra documenti domin Doo doris dragon droguri ebony ecampaig echo ed enzo fax fedora felipe fido finance foc francois ftp ftpuser gary ghost goncalo grant gt05 guest haiduc haitac hammer happiness hugo iasiasur ibiza information informix ionita ipbx jay jd jean joan johan joomla joseluis julius julius123 jun jurca kato kidskhan li71-183 li71-183.members.linode library lord ls lschmidt lscsymbiosis lsnoxell lucas lucia m magnos marian mark marketing marta mathis medina mercedes miguel mike miranda mireya mlmb monica montrelle myky mythtv nagios nana natalia natasha nathan nelson nicoara nlopez no nrg nu office offsite operatore oracle owen pamela pgsl plcmspip PlcmSpIp porno pos post postgres power powered prchal prueba pubblico public q1 r00t raimundo ram reboot recepcion recruit rene ricardo roby rocio Root root123 roto ruut sales samba sami scan se sebastian services sims sims2 sistema skbae skin skipe skype skywalker slayer spam sshadmin sshdu sss staff stan std015 stephanie stone stud student student1 sue swadok sybille teamspeak TeamSpeak teapa tech ted telegest temp test test1 theo thomas thx1138 tom tomcat tony trash ts tss upload user user1 utente ven vh vic vicky victor violet vn volume vova webadmin wen william WinD3str0y work xwang xwp yamazaki yes zoro
SSH brute force connection attempts #fail
Collected these over the past few months, reverse chronological order. Seeing different machines attempting to connect hundreds of times a day each is just, wow.
Some might say that a SSH blacklist daemon might help, but it only increases the time taken for a brute force attempt, and is of no use against a botnet trying to brute force the ssh login.
There are plenty of things that can be done to lock down the ssh server, and restricting it to only publickey is by far one of the most effective, counting that the resource (the server) you're protecting is pretty important.