Hydra 的输出使用hydra -L ~/Documents/wordlists/Aliases.txt -P ~/Documents/wordlists/shortlist.txt -M servers.txt ssh -t 4 -V
sharp67是 PAM 中的用户,aaron1但不是。
[ATTEMPT] target 172.xx.x.12 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 1]
[ATTEMPT] target 172.xx.x.34 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 3]
[ATTEMPT] target 172.xx.x.40 - login "sharp67" - pass "aaaaaaay" - 25 of 390364 [child 12]
[ATTEMPT] target 172.xx.x.12 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 13]
[ATTEMPT] target 172.xx.x.40 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 18]
[ATTEMPT] target 172.xx.x.12 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 19]
[ATTEMPT] target 172.xx.x.40 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 0]
[ATTEMPT] target 172.xx.x.34 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 15]
[ATTEMPT] target 172.xx.x.33 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 14]
[ATTEMPT] target 172.xx.x.40 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 6]
[ATTEMPT] target brotest-01.xxxxxx.edu- login "sharp67" - pass "aaaaaaay" - 25 of 390364 [child 16]
[ATTEMPT] target 172.xx.x.33 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 8]
[ATTEMPT] target 172.xx.x.34 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 9]
[ATTEMPT] target 172.xx.x.33 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 20]
[ATTEMPT] target brotest-01.xxxxx.edu - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 22]
[ATTEMPT] target brotest-01.xxxxx.edu - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 10]
以下是试图规避我当前问题notice.log的片段。如果AUTH_PRIV在. 但是,虽然它可以工作,但它没有使用正确的 orig_h IP。它使用本地 ip 而不是我在默认中看到的 IP 。Syslog::Password_GuessingSyslog::Password_Guessing/usr/local/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.brosyslog.logSSH::Password_Guessing
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
1533049771.315720 - - - - - - - - - Syslog::Password_Guessing 172.xx.x.34 appears to be guessing SSH passwords (seen in 6 connections). Syslog Sampled servers: 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx 172.xx.x.34 - - - worker-4-13 Notice::ACTION_LOG 3600.000000 F - - - - -
1533050443.932235 - - - - - - - - - SSH::Password_Guessing 10.xxx.xx.81 appears to be guessing SSH passwords (seen in 6 connections). Sampled servers: 172.xx.x.34, 172.xx.x.34, 172.xx.x.34, 172.xx.x.33, 172.xx.x.33 10.xxx.xx.81 -- - worker-0-1 Notice::ACTION_LOG 3600.000000 F - - - - -
目前,SSH::Password_Guessing除非用户收到 PAM 错误,否则默认值不起作用user unknown。
/var/logs/secure from brotest-01 while using sharp67
Jul 31 11:20:38 brotest-01 sshd[40996]: Failed password for sharp67 from 10.186.13.81 port 39590 ssh2
Jul 31 11:20:38 brotest-01 sshd[40996]: error: maximum authentication attempts exceeded for sharp67 from 10.xxx.xx.81 port 39590 ssh2 [preauth]
Jul 31 11:20:38 brotest-01 sshd[40996]: Disconnecting: Too many authentication failures [preauth]
Jul 31 11:20:38 brotest-01 sshd[40997]: Failed password for sharp67 from 10.xxx.xx.81 port 39602 ssh2
Jul 31 11:20:38 brotest-01 sshd[40997]: error: maximum authentication attempts exceeded for sharp67 from 10.xxx.xx.81 port 39602 ssh2 [preauth]
Jul 31 11:20:38 brotest-01 sshd[40997]: Disconnecting: Too many authentication failures [preauth]
这是
/var/log/secure on brotest-01 for aaron1
Jul 31 11:21:06 brotest-01 sshd[41008]: pam_unix(sshd:auth): check pass; user unknown
Jul 31 11:21:08 brotest-01 sshd[41007]: Failed password for invalid user aaron1 from 10.xxx.xx.81 port 39664 ssh2
Jul 31 11:21:08 brotest-01 sshd[41007]: error: maximum authentication attempts exceeded for invalid user aaron1 from 10.xxx.xx.81 port 39664 ssh2 [preauth]
Jul 31 11:21:08 brotest-01 sshd[41007]: Disconnecting: Too many authentication failures [preauth]
如果用户在ssh.logPAM 中不存在,该auth_success字段几乎会立即从-变为 ,F而如果用户存在,该auth_success字段将保持-更长的时间,我相信这就是它无法生成SSH::Password_Guessing.
我真的不知道为什么会发生这种情况。PAM 有问题吗?PAM 是否会断开连接,然后不允许 Bro 将其记录为失败的 SSH 尝试?我是否需要阻止 PAM 断开连接,或者我是否应该找到一种方法来使用 SSH 连接的 IP 而不是生成系统日志的 IP?任何帮助或输入将不胜感激,谢谢。
[编辑]:以下是我对 `/usr/local/bro/share/bro/base/protocols/syslog/main.bro 所做的更改
##! Core script support for logging syslog messages. This script represents
##! one syslog message as one logged record.
@load ./consts
@load base/protocols/ssh
module Syslog;
export {
redef enum Log::ID += { LOG };
## The record type which contains the fields of the syslog log.
type Info: record {
## Timestamp when the syslog message was seen.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## Protocol over which the message was seen.
proto: transport_proto &log;
## Syslog facility for the message.
facility: string &log;
## Syslog severity for the message.
severity: string &log;
## The plain text message.
message: string &log;
};
}
redef record connection += {
syslog: Info &optional;
};
const ports = { 514/udp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
}
# Added
module SSH;
event ssh_fail()
{
local c: SSH::Info;
local t: record {
ts: time &log;
uid: string &log;
id: conn_id &log;
version: count &log;
auth_success: bool &log &optional;
auth_attempts: count &log &optional;
direction: Direction &log &optional;
client: string &log &optional;
server: string &log &optional;
cipher_alg: string &log &optional;
mac_alg: string &log &optional;
compression_alg: string &log &optional;
kex_alg: string &log &optional;
host_key_alg: string &log &optional;
host_key: string &log &optional;
};
local p: connection;
#event log_ssh(c);
event ssh_auth_failed(p);
return;
}
module Syslog;
event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
{
local info: Info;
info$ts=network_time();
info$uid=c$uid;
info$id=c$id;
info$proto=get_port_transport_proto(c$id$resp_p);
info$facility=facility_codes[facility];
info$severity=severity_codes[severity];
info$message=msg;
#if (info$facility=="AUTHPRIV" && info$severity=="ERR"){
# event ssh_fail();
#}
c$syslog = info;
}
# Added
const logCount= 0&redef;
function logUp(i: count): count
{
local Up = i+1;
return Up;
}
event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5
{
local info: Info;
#local logCount = 0;
Log::write(Syslog::LOG, c$syslog);
# More Changes below
if (info$facility=="AUTHPRIV" && info$severity=="ERR"){
event ssh_fail();
}
#Log::write(Syslog::LOG, c$syslog);
}