sábado, maio 19, 2007

This piece of code helps me knowing when there are dictionary attacks (so I know which machines to fight back and when). Of course, there are a lot of better ways to do it, this is just another way to do it... ;-) and a kind of a sport, for sure. Or for fun.


#!/usr/bin/perl
use 5.008008;
use strict;
use warnings;
use constant AUTH_LOG => qw( /var/log/auth.log.0 );

# Dictionary attacks accounting.
# Makes sure that the system admin doesn't need to look for this common attack
# on the logfiles.
#
# Runs weekly under the name "z-report-dictionary-attacks.pl" on
# /etc/cron.weekly. The 'z' in the begining of the name makes sure that the
# file will run AFTER sysklogd (that is the one that rotates the logfiles).

my ( $attack_count, %attacked_services, %attackers, %usernames );
foreach my $logfile ( AUTH_LOG ) {
next unless -f $logfile;
open my $fh, '<', $logfile or do { warn "$!"; next; }; while ( <$fh> ) {
if( my ( $month, $day, $time, $service, $user, $ip, $port )
= m{^
(\w{3}) # month
\s+
(\d+) # day
\s+
(\d+:\d+:\d+) # time
\s+ivan\s+
([^\]]+) # service
\[\d+]:\s+Failed\s+password\s+for\s+invalid\s+user\s+
(\w+) # user
\s+from\s+
(\S+) # IP address
\s+port\s+
(\d+) # TCP/UDP port
}xo ) {
$attack_count++;
$attacked_services{ $service }++;
$usernames{ $user }++;
push @{ $attackers{ $ip }{ $service } }, {
date => qq{$month $day, $time},
user => $user,
address => qq{$ip:$port}
};
}
}
}

print qq{Reporting $attack_count attack(s) against } . (scalar keys %attacked_services) .
qq{ different service(s), using } . (scalar keys %usernames) .
qq{ different username(s) from } . (scalar keys %attackers) .
qq{ different IP address(es).\n};

# This program is Open Source software licensed under the terms and conditions
# of the most recent version of the GPL license.

Nenhum comentário: