# HG changeset patch # User Matti Hamalainen # Date 1250175773 -10800 # Node ID b2c7c76b3529544f7cb1b560e2762712791f7c78 # Parent 368182409eacf323b14f781898bf03305a46135f Added scanning feature for SSH root login attempts with failed passwords. diff -r 368182409eac -r b2c7c76b3529 example.conf --- a/example.conf Thu Aug 13 17:44:25 2009 +0300 +++ b/example.conf Thu Aug 13 18:02:53 2009 +0300 @@ -38,6 +38,11 @@ CHK_PROXY_SCAN = 1 CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" +# Notice! ONLY enable this setting, if you have disabled password root +# logins from sshd_config (e.g. you have "PermitRootLogin without-password") +# or that alternatively you have defined "safe" hosts in NOBLOCK_HOSTS below. +CHK_ROOT_SSH_PWD = 0 + # Maltfilter logfile path and name (set empty "" if you don't want logging) LOGFILE = "/var/log/maltfilter" diff -r 368182409eac -r b2c7c76b3529 maltfilter --- a/maltfilter Thu Aug 13 17:44:25 2009 +0300 +++ b/maltfilter Thu Aug 13 18:02:53 2009 +0300 @@ -32,6 +32,7 @@ "CHK_KNOWN_CGI" => 1, "CHK_PHP_XSS" => 1, "CHK_PROXY_SCAN" => 1, + "CHK_ROOT_SSH_PWD" => 0, "CHK_GOOD_HOSTS" => "", ); @@ -56,9 +57,21 @@ ### Check given logfile line for matches sub check_log_line($) { - # (1) SSH login scan attempts - if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) { - check_add_entry($2, $1, "SSHD", $settings{"CHK_SSHD"}); + # (1) SSHD scans + if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: (.*)/) { + my $mdate = $1; + my $merr = $2; + + # (1.1) Generic login scan attempts + if ($merr =~ /^Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) { + check_add_entry($1, $mdate, "SSHD", $settings{"CHK_SSHD"}); + } + # (1.2) Root SSH login password bruteforcing attempts + # NOTICE! Do not enable this setting, if you allow SSH root logins via + # password authentication! Mistyping password may get you blocked then. :) + elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { + check_add_entry($1, $mdate, "Root SSH password bruteforce", $settings{"CHK_ROOT_SSH_PWD"}); + } } # (2) Common/known exploitable CGI/PHP software scans (like phpMyAdmin) # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have @@ -75,13 +88,13 @@ } } } - # Match Apache common logging format GET requests here + # (3) Match Apache common logging format GET requests here elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) { my $mdate = $2; my $mip = $1; my $merr = $3; - # (3) Simple match for generic PHP XSS vulnerability scans + # (3.1) Simple match for generic PHP XSS vulnerability scans # NOTICE! If your site genuinely uses (checked) PHP parameters with # URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s) # used in the URIs. @@ -90,7 +103,7 @@ check_add_entry($mip, $mdate, "PHP XSS: $merr", $settings{"CHK_PHP_XSS"}); } } - # (4) Try to match proxy scanning attempts + # (3.2) Try to match proxy scanning attempts elsif ($merr =~ /^http:\/\/([^\/]+)/) { if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { check_add_entry($mip, $mdate, "Proxy scan: $merr", $settings{"CHK_PROXY_SCAN"});