Mercurial > hg > maltfilter
diff maltfilter @ 4:b2c7c76b3529 maltfilter-0.7
Added scanning feature for SSH root login attempts with failed passwords.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Thu, 13 Aug 2009 18:02:53 +0300 |
parents | 368182409eac |
children | ee5f7b8dcdea |
line wrap: on
line diff
--- a/maltfilter Thu Aug 13 17:44:25 2009 +0300 +++ b/maltfilter Thu Aug 13 18:02:53 2009 +0300 @@ -32,6 +32,7 @@ "CHK_KNOWN_CGI" => 1, "CHK_PHP_XSS" => 1, "CHK_PROXY_SCAN" => 1, + "CHK_ROOT_SSH_PWD" => 0, "CHK_GOOD_HOSTS" => "", ); @@ -56,9 +57,21 @@ ### Check given logfile line for matches sub check_log_line($) { - # (1) SSH login scan attempts - if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) { - check_add_entry($2, $1, "SSHD", $settings{"CHK_SSHD"}); + # (1) SSHD scans + if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: (.*)/) { + my $mdate = $1; + my $merr = $2; + + # (1.1) Generic login scan attempts + if ($merr =~ /^Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) { + check_add_entry($1, $mdate, "SSHD", $settings{"CHK_SSHD"}); + } + # (1.2) Root SSH login password bruteforcing attempts + # NOTICE! Do not enable this setting, if you allow SSH root logins via + # password authentication! Mistyping password may get you blocked then. :) + elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { + check_add_entry($1, $mdate, "Root SSH password bruteforce", $settings{"CHK_ROOT_SSH_PWD"}); + } } # (2) Common/known exploitable CGI/PHP software scans (like phpMyAdmin) # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have @@ -75,13 +88,13 @@ } } } - # Match Apache common logging format GET requests here + # (3) Match Apache common logging format GET requests here elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) { my $mdate = $2; my $mip = $1; my $merr = $3; - # (3) Simple match for generic PHP XSS vulnerability scans + # (3.1) Simple match for generic PHP XSS vulnerability scans # NOTICE! If your site genuinely uses (checked) PHP parameters with # URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s) # used in the URIs. @@ -90,7 +103,7 @@ check_add_entry($mip, $mdate, "PHP XSS: $merr", $settings{"CHK_PHP_XSS"}); } } - # (4) Try to match proxy scanning attempts + # (3.2) Try to match proxy scanning attempts elsif ($merr =~ /^http:\/\/([^\/]+)/) { if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { check_add_entry($mip, $mdate, "Proxy scan: $merr", $settings{"CHK_PROXY_SCAN"});