This is the type of investigation you might do to determine how a server had been compromised or to see whether a system is a particular target.
messages.1file from here
ssh application is used to communicate securely between
remote computer systems. It's often used as a remote access tool for
routers, web servers, mail servers, etc.
There are thousands of robots out there looking for systems running
ssh daemon (sshd). When they find an ssh daemon, they
try simple password guessing attacks using common userids (like admin)
and simple passwords (like admin again).
These attacks aren't a serious threat if you've used good passwords.
In Cuckoo's Egg Clifford Stoll described tracking down the Hanover Gang who infiltrated many computer's because the administrators never changed the default login/password from admin/admin.
This lab will look at ways we can extract information from this mass of data. solution
cdcommand to change to the folder with the
You can select only the ssh messages with a command like:
grep sshd messages.1
It's usually safer to avoid finding the match string within another word, by adding a space to the beginning and end of the word and putting quotes around the string like this:
grep ' sshd ' messages.1
Enter this to see what happens.
Rework the previous
grep command so that it has a leading
space and a trailing open-square-bracket.
Note that the
grep command will accept a pattern to match,
as well as exact characters.
This causes some punctuation characters including "*", "[" and "]" to
be special characters. When looking for these characters, they will need to be escaped
to keep the
command from trying to interpret them as something other than the character
that they are.
wccommand will tell you how many lines, words or characters are in a file or in stdin.
wc commands to count number
of ssh Failed logins from the command line.
Notice that there are multiple lines reported for each
You can pipe the results of one
grep to another to remove extra lines.
wcto generate a human readable report like:
There were 12345 Attackssolution
The examples in the lesson used the
echo command to create a file with
certain text in it.
It's easier to work with a file using an editor.
If you are familiar with a general-purpose editor like vi, vim, emacs, pico, nano, kwrite, etc. Feel free to use that. Otherwise, download the free Komodo Edit package from ActiveState
KomodoEdit will run on Windows, Mac, or Linux. We'll use it for the Tcl part of the class.
%> dailyReport.sh 22 613 Attacks on Dec 22
3294 Attacks on Dec 20 2 Attacks on Dec 21 613 Attacks on Dec 22 176 Attacks on Dec 23 0 Attacks on Dec 24 0 Attacks on Dec 25 0 Attacks on Dec 26 0 Attacks on Dec 27
The message.1 file contains messages from these daemons:
for x in 1 2 3 4 do for y in a b c d do echo "$x$y" done done
dhcpd last named ntpd sshd syslogd
Modify the previous code so that it uses two nested loops, one for the daemons and one for the days to report how many times each type of message was generated on each day.
The results should look like this:
183 messages from dhcpd on Dec 20 3 messages from last on Dec 20 2350 messages from named on Dec 20 0 messages from ntpd on Dec 20 8391 messages from sshd on Dec 20 1 messages from syslogd on Dec 20 271 messages from dhcpd on Dec 21 9 messages from last on Dec 21 3198 messages from named on Dec 21 ...
Dec 20 05:26:00 bastion sshd: Invalid user admin from 22.214.171.124 Dec 20 05:26:00 bastion sshd: error: Could not get shadow information for NOUSER Dec 20 05:26:00 bastion sshd: Failed password for invalid user admin from 126.96.36.199 port 55272 ssh2
This means that the previous report reflects the number of lines, not the number of reportable events.
sort command to the
reduce the number of reported messages to the number of unique
forcommand can be the results of another command.
For example, we can extract the IP addresses of sites that have tried to login with an invalid user with a line like this
This could be used with a
grep ssh mess*1 | grep invalid | cut -d ' ' -f 13 | sort -u
forloop to find the number of attacks from each site like this:
This will produce output like this:
for ip in ` grep ssh mess*1 | grep invalid | cut -d ' ' -f 13 | sort -u` do echo "`grep $ip mess*1 | grep invalid | wc -l` invalid logins From $ip" done
Add another loop to iterate through the days of the month and report how many attacks from each IP address occurred on each day. The output should resemble this:
1302 invalid logins From 188.8.131.52 8 invalid logins From 184.108.40.206 94 invalid logins From 220.127.116.11 1 invalid logins From 18.104.22.168
1302 20832 143327 invalid logins From 22.214.171.124 on Dec 20 0 0 0 invalid logins From 126.96.36.199 on Dec 21 0 0 0 invalid logins From 188.8.131.52 on Dec 22 0 0 0 invalid logins From 184.108.40.206 on Dec 23