Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: `tattle` -- automatic reporting of SSH brute-force attacks

Re: `tattle` -- automatic reporting of SSH brute-force attacks

From: Anders Henke <anders_at_schlund.de>
Date: Tue, 7 Jun 2005 13:33:20 +0200

On June 4th 2005, C.J. Steele, CISSP wrote:
> Inspired by a post to the SANS Intrusions list, I have written `tattle`
> to automate the reporting of SSH brute-force attacks.
>
> `tattle` is a perl script that crawls through your sshd logs
> (/var/log/messages, or wherever you tell it to look) and finds hosts
> who've connected to your SSH server. All hosts who connect to your
> box, and that are not accounted for in the exception list, are reported
> to the point-of-contact for the domain the host is registered too
> (where available.) Long story-short, if you stick `tattle` in your
> cron-tab, you can automate the reporting of ssh brute-force attacks.

Well meant, but the implementation raises a few important issues:

-"my $whois = `/usr/bin/whois $tld`;" isn't really secure
 and literally cries for some exploit. There are enough
 perl modules to resolve this issue, e.g. Net::Whois or Net::XWhois

-the reverse dns isn't verified by a lookup on forward dns.
 So if an attacker has control over his reverse dns (popular
 problem with hosting companies of dedicated servers), he can easily
 spoof the reverse dns in order to point to a completely
 unrelated company (who are likely to ignore your reports).

 Whois on the IP adress is likely to give you a much better information
 on whom to notify about abuse, as that way you'll usually notify the
 abuser's ISP instead of possibly the abusing user himself.

-getemails() literally grabs =any= email adress returned from
 the domains whois-records.

 Whois records often do list much more than the merely the adress
 for reporting abuse like e.g. the domain's registrar, an adress for
 billing contact of the domain and sometimes even the list of users
 who changed this records's whois data.

 So from my point of view, the script is simply spewing abuse reports
 to much more than the right people (and probably even not the right
 ones). Some people believe this to be a fair way, but always keep
 in mind that the abuser's ISP is not your enemy, increasing their workload
 by sending them the same complaint multiple times and offending them by
 spamming abuse reports to unrelated staff is not likely to increase the
 chances of well-done LARTs.

The two later issues can be easily solved by querying the whois
service at whois.cyberabuse.org using the IP adress of the offender.
cyberabuse.org does take quite a lot of efforts in order to
give you (only) the correct email adress to report abuse to,
regardless of the IP-assigning registry and their individual
whois output.

Regards,

Anders 

-- 
Schlund + Partner AG              Security
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225
Received on Jun 09 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]