Difference between revisions of "Countering SSH bruteforce attacks"

From RHS Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 7: Line 7:
  
 
== Python script to scan ports from attackers ==
 
== Python script to scan ports from attackers ==
<source lang=python>import optparse
+
<source lang=python>import os
 +
import optparse
 
from socket import *
 
from socket import *
 +
 +
 +
PATH="/opt/counter_attack_ssh"
 +
 
def main():
 
def main():
 
     parser = optparse.OptionParser('usage %prog -H <target host> -p <target port>')
 
     parser = optparse.OptionParser('usage %prog -H <target host> -p <target port>')
 
     parser.add_option('-H', dest='tgtHost', type='string', help='specify target host')
 
     parser.add_option('-H', dest='tgtHost', type='string', help='specify target host')
 
     (options, args) = parser.parse_args()
 
     (options, args) = parser.parse_args()
   
 
 
     tgtHost = options.tgtHost
 
     tgtHost = options.tgtHost
   
+
     tgtPorts = [20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 389, 443, 445, 636, 989, 990]
     tgtPorts = [20,21,22,23,25,53,67,68,69,80,110,123,137,138,139,143,161,162,179,389,443,636,989,990]
+
     with open(os.path.join(PATH, 'already_scanned.txt'), 'ra') as already_scanned:
   
 
     with open('already_scanned.txt', 'ra') as already_scanned:
 
       
 
 
         already_scanned_list = already_scanned.readlines()
 
         already_scanned_list = already_scanned.readlines()
   
 
 
     already_scanned_list = [x.strip() for x in already_scanned_list]
 
     already_scanned_list = [x.strip() for x in already_scanned_list]
   
 
 
     if (tgtHost == None):
 
     if (tgtHost == None):
 
         print parser.usage
 
         print parser.usage
Line 30: Line 29:
 
         print "IP already scanned"
 
         print "IP already scanned"
 
     else:
 
     else:
         already_scanned = open('already_scanned.txt', 'a')
+
         already_scanned = open(os.path.join(PATH, 'already_scanned.txt'), 'a')
 
         already_scanned.write(str(tgtHost) + "\n" )
 
         already_scanned.write(str(tgtHost) + "\n" )
 
         already_scanned.close()
 
         already_scanned.close()
Line 41: Line 40:
 
         connSkt.connect((tgtHost, tgtPort))
 
         connSkt.connect((tgtHost, tgtPort))
 
         print '[+] %d/tcp open' % tgtPort
 
         print '[+] %d/tcp open' % tgtPort
         f = open('open_ports.txt', 'a')
+
         f = open(os.path.join(PATH, 'open_ports.txt'), 'a')
 
         f.write("HOST: " + str(tgtHost) + " PORT ---> " + str(tgtPort) + "\n")
 
         f.write("HOST: " + str(tgtHost) + " PORT ---> " + str(tgtPort) + "\n")
 
         f.close()
 
         f.close()
Line 63: Line 62:
 
     for tgtPort in tgtPorts:
 
     for tgtPort in tgtPorts:
 
         print 'Scanning port ' + str(tgtPort)
 
         print 'Scanning port ' + str(tgtPort)
         connScan(tgtHost, int(tgtPort))</source>
+
         connScan(tgtHost, int(tgtPort))
 +
if __name__ == '__main__':
 +
    main()
 +
</source>
 +
 
 
== counter_attack.sh ==
 
== counter_attack.sh ==
 
<source lang=bash>#!/bin/bash
 
<source lang=bash>#!/bin/bash
 +
WD=/opt/counter_attack_ssh
 +
newest_log=${WD}/newest_log.txt
 +
old_log=${WD}/old_log.txt
 +
portscan_script=${WD}/portscan.py
 +
 +
function save_old_log{
 +
    cat ${newest_log} >> ${old_log}
 +
}
  
brute > newest_log.txt
+
save_old_log
input="newest_log.txt"
+
/usr/bin/brute > ${newest_log}
 +
input="${newest_log}"
  
  
Line 75: Line 87:
 
   ipaddress=$( echo "$var" | awk -F " -->" '{print $2}' )
 
   ipaddress=$( echo "$var" | awk -F " -->" '{print $2}' )
 
   #echo "$ipaddress"
 
   #echo "$ipaddress"
   python portscan.py -H "$ipaddress"  
+
   python ${portscan_script} -H "$ipaddress"
 
done < "$input"</source>
 
done < "$input"</source>
 
+
== Crontab ==
if __name__ == '__main__':
+
0 20 * * * /opt/counter_attack_ssh/counter_attack_ssh.sh
    main()</source>
 

Latest revision as of 15:52, 13 November 2018

Create Parsing command[edit]

sudo touch /usr/bin/brute
sudo chmod +x /usr/bin/brute
sudo nano /usr/bin/brute

#!/bin/bash
sudo cat /var/log/auth.log | grep -i 'invalid user' | grep -v ']$' | awk '{print $8 " --> " $10}'

Python script to scan ports from attackers[edit]

import os
import optparse
from socket import *


PATH="/opt/counter_attack_ssh"

def main():
    parser = optparse.OptionParser('usage %prog -H <target host> -p <target port>')
    parser.add_option('-H', dest='tgtHost', type='string', help='specify target host')
    (options, args) = parser.parse_args()
    tgtHost = options.tgtHost
    tgtPorts = [20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 389, 443, 445, 636, 989, 990]
    with open(os.path.join(PATH, 'already_scanned.txt'), 'ra') as already_scanned:
        already_scanned_list = already_scanned.readlines()
    already_scanned_list = [x.strip() for x in already_scanned_list]
    if (tgtHost == None):
        print parser.usage
        exit(0)
    if tgtHost in already_scanned_list:
        print "IP already scanned"
    else:
        already_scanned = open(os.path.join(PATH, 'already_scanned.txt'), 'a')
        already_scanned.write(str(tgtHost) + "\n" )
        already_scanned.close()
        portScan(tgtHost, tgtPorts)


def connScan(tgtHost, tgtPort):
    try:
        connSkt = socket(AF_INET, SOCK_STREAM)
        connSkt.connect((tgtHost, tgtPort))
        print '[+] %d/tcp open' % tgtPort
        f = open(os.path.join(PATH, 'open_ports.txt'), 'a')
        f.write("HOST: " + str(tgtHost) + " PORT ---> " + str(tgtPort) + "\n")
        f.close()
        connSkt.close()
    except:
        print '[-] %d/tcp closed'%tgtPort


def portScan(tgtHost, tgtPorts):
    try:
        tgtIP = gethostbyname(tgtHost)
    except:
        print "[-] Cannot resolve '%s': Unkown host"%tgtHost
    try:
        tgtIP = tgtHost
        tgtName = gethostbyaddr(tgtIP)
        print '\n[+] Scan results for: ' + tgtName[0]
    except:
        print '\n[+] Scan results for: ' +  tgtIP
    setdefaulttimeout(1)
    for tgtPort in tgtPorts:
        print 'Scanning port ' + str(tgtPort)
        connScan(tgtHost, int(tgtPort))
if __name__ == '__main__':
    main()

counter_attack.sh[edit]

#!/bin/bash
WD=/opt/counter_attack_ssh
newest_log=${WD}/newest_log.txt
old_log=${WD}/old_log.txt
portscan_script=${WD}/portscan.py

function save_old_log{
    cat ${newest_log} >> ${old_log}
}

save_old_log
/usr/bin/brute > ${newest_log}
input="${newest_log}"


while IFS= read -r var
do
  ipaddress=$( echo "$var" | awk -F " -->" '{print $2}' )
  #echo "$ipaddress"
  python ${portscan_script} -H "$ipaddress"
done < "$input"

Crontab[edit]

0 20 * * * /opt/counter_attack_ssh/counter_attack_ssh.sh

Retrieved from "https://wiki.herrerosolis.com/index.php?title=Countering_SSH_bruteforce_attacks&oldid=1619"