Mercurial > hg > maltfilter

changeset 4:b2c7c76b3529 maltfilter-0.7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added scanning feature for SSH root login attempts with failed passwords.
author Matti Hamalainen <ccr@tnsp.org>
date Thu, 13 Aug 2009 18:02:53 +0300
parents 368182409eac
children 17fb3745f040
files example.conf maltfilter
diffstat 2 files changed, 24 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/example.conf	Thu Aug 13 17:44:25 2009 +0300
+++ b/example.conf	Thu Aug 13 18:02:53 2009 +0300
@@ -38,6 +38,11 @@
 CHK_PROXY_SCAN      = 1
 CHK_GOOD_HOSTS      = "example.org|google.com|74.125.45.100"
 
+# Notice! ONLY enable this setting, if you have disabled password root
+# logins from sshd_config (e.g. you have "PermitRootLogin without-password")
+# or that alternatively you have defined "safe" hosts in NOBLOCK_HOSTS below.
+CHK_ROOT_SSH_PWD    = 0
+
 # Maltfilter logfile path and name (set empty "" if you don't want logging)
 LOGFILE = "/var/log/maltfilter"
   
--- a/maltfilter	Thu Aug 13 17:44:25 2009 +0300
+++ b/maltfilter	Thu Aug 13 18:02:53 2009 +0300
@@ -32,6 +32,7 @@
   "CHK_KNOWN_CGI"       => 1,
   "CHK_PHP_XSS"         => 1,
   "CHK_PROXY_SCAN"      => 1,
+  "CHK_ROOT_SSH_PWD"    => 0,
   "CHK_GOOD_HOSTS"      => "",
 );
 
@@ -56,9 +57,21 @@
 ### Check given logfile line for matches
 sub check_log_line($)
 {
-  # (1) SSH login scan attempts
-  if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) {
-    check_add_entry($2, $1, "SSHD", $settings{"CHK_SSHD"});
+  # (1) SSHD scans
+  if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: (.*)/) {
+    my $mdate = $1;
+    my $merr = $2;
+    
+    # (1.1) Generic login scan attempts
+    if ($merr =~ /^Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) {
+      check_add_entry($1, $mdate, "SSHD", $settings{"CHK_SSHD"});
+    }
+    # (1.2) Root SSH login password bruteforcing attempts
+    # NOTICE! Do not enable this setting, if you allow SSH root logins via
+    # password authentication! Mistyping password may get you blocked then. :)
+    elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) {
+      check_add_entry($1, $mdate, "Root SSH password bruteforce", $settings{"CHK_ROOT_SSH_PWD"});
+    }
   }
   # (2) Common/known exploitable CGI/PHP software scans (like phpMyAdmin)
   # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have
@@ -75,13 +88,13 @@
       }
     }
   }
-  # Match Apache common logging format GET requests here
+  # (3) Match Apache common logging format GET requests here
   elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) {
     my $mdate = $2;
     my $mip = $1;
     my $merr = $3;
     
-    # (3) Simple match for generic PHP XSS vulnerability scans
+    # (3.1) Simple match for generic PHP XSS vulnerability scans
     # NOTICE! If your site genuinely uses (checked) PHP parameters with
     # URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s)
     # used in the URIs.
@@ -90,7 +103,7 @@
         check_add_entry($mip, $mdate, "PHP XSS: $merr", $settings{"CHK_PHP_XSS"});
       }
     }
-    # (4) Try to match proxy scanning attempts
+    # (3.2) Try to match proxy scanning attempts
     elsif ($merr =~ /^http:\/\/([^\/]+)/) {
       if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
         check_add_entry($mip, $mdate, "Proxy scan: $merr", $settings{"CHK_PROXY_SCAN"});