[TOOL] Tattle - Automatic Reporting Of SSH Brute-Force Attacks

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Tattle - Automatic Reporting Of SSH Brute-Force Attacks
------------------------------------------------------------------------

SUMMARY

DETAILS

Tattle is a Perl script that crawls through your SSHd logs (usually
/var/log/messages) and finds hosts who've connected to your SSH server.
All hosts who connect to your box, and that are not accounted for in the
exception list, are reported to the point-of-contact for the domain the
host is registered too (where available).

Code:
#!/usr/bin/perl
# tattle by C.J. Steele, CISSP <coreyjsteele@yahoo.com>
# (C)opyright 2005, C.J. Steele, all rights reserved.
#
# NOTICE: you're on your own with whatever 'messes' reporting this sort of
# activity may create...you've been warned.
#
# This script processes log files and attempts to automatically notify
domain
# authorities of machines in their domain that are actively performing SSH
# brute-force attacks. Mangle the variables above the warning to your
liking,
# but it would be adviseable not to venture past the warning unless you
know a
# bit of perl and are comfortable doing so.
#
#
use strict;
use MIME::Lite;
use File::MkTemp;

my $logfile = "/var/log/messages"; #the place where ssh logs to
my $tmpdir = "/tmp"; #for use when we write out our logs
my @exceptions = ( "10.10.10.10", "your.net" ); #domains not to notify of
ssh attacks, i.e. your domains
my $smtp_host = "localhost"; #your mail server
my $smtp_sendas = "your\@email.com"; #a VALID e-mail address to send the
e-mails out as
my $smtp_message = "An attempt to brute-force account passwords over SSH
has been detected by a machine in your domain. Attached are logs
indicating the times and dates of the activity. Please take the necessary
action(s) to stop this activity. If you have any questions, please reply
to this email or contact me at $smtp_sendas."; #the nasty-gram

########################################################################
# DO NOT MUCK AROUND BELOW THIS POINT UNLESS YOU KNOW WHAT YOU'RE DOING
########################################################################

my @offenders = getoffenders( $logfile );

foreach my $offender ( @offenders )
{
my $tld = gettld( $offender );
my @addies = getemails( $tld );
if( scalar( @addies ) )
{
my $logpath = writelogs( getlogs( $offender ) );
foreach my $addie ( @addies )
{
#create the email...
my $email = MIME::Lite->new(
From => "$smtp_sendas",
To => "$addie",
Cc => "$smtp_sendas",
Subject => "SSH Brute-force Attack",
Type => "TEXT",
Data => "$smtp_message"
);
#attach our log files/evidence...
$email->attach(
Type => 'text/plain',
Path => $logpath,
Filename => "$offender.txt"
);
$email->send( 'smtp', "$smtp_host" );
print "I: e-mail sent to $addie ($offender)\n";
}