[Asterisk-Users] asterisk@home scary log

Sat Feb 12 00:21:32 MST 2005

> >>The bottom line for those asterisk readers that have actually read this
> >>far is to use complex & lenthy passwords where possible, and some sort of
> >>alerting mechansim when xx number of passwords are guessed incorrectly
> >>(such as an account lockout mechanism with alerts as just one of many 
> >>available choices).
> >>    
> >>
> >
> >I tend to disagree with you regarding the exact length.
> >
> >An alerting mechanism is there, in the logs. Most linux distros have
> >some nice log watchers. However it still requires that someone actually
> >monitors them, as boring as it is.
> >
> >  
> >
> Can anyone recommend a watching tool for this?  I know I can write a 
> script myself but if there is a convenient Linux method that is 
> prepackaged, that would be good.  Specifically nice would be a mechanism 
> like the one referred to above:
> 
> "some sort of
> alerting mechansim when xx number of passwords are guessed incorrectly
> (such as an account lockout mechanism with alerts as just one of many 
> available choices)."
> 
> Incidentally, I know this thread is somewhat off topic but it has been very helpful to me and 
since reading it I have checked my /var/log/secure logs and found that our system has been 
scanned for ssh-password guessing several times over the last few months.  So thanks!
> 

That scanning has been going on for a long time, and the script kiddies
that doing it are using pre-staged/pre-written password lists looking
for the very simple passwords (eg, root/root, root/blank, root/test).
They usually stop after about 30 to 60 different attempts, one right 
after the other. A small number of hackers will try other password guessing
methods as noted in an earlier post.

There are some open source syslog scanning tools, but I don't know of any
off hand that do a nice job at managing thresholds. Might try google to
see what's available.

If your * box is exposed to the Internet, you might want to take a look
at 'netstat -an' or 'netstat -a' to see what ports/services are actually 
exposed.

For sshd, you will see entries in the /var/log/secure log like:

Feb 10 11:41:16 asterisk sshd[23033]: User root not allowed because not 
 listed in AllowUsers
Feb 10 11:42:36 asterisk last message repeated 2 times 
Feb 10 11:41:22 asterisk sshd[23033]: Failed password for illegal user 
 root from 1.2.3.4 port 53262 ssh2
Feb 10 11:40:58 asterisk sshd[22993]: Failed password for myuserid from
 1.2.3.5 port 53255 ssh2 

Writing a script to scan through the log entries and develop your own
thresholds (based on what your system has exposed) is not that difficult.
In the above, the first three entries are of no real value as root isn't
allowed ssh access. But, the fourth entry was an attempt to guess the
password for 'myuserid'.

If you receive more then four or five failed attempts against a valid
userid, then send a text message to your cell phone, email to your
mail box, or whatever action you want to take (considering how serious
this might be to you).

If you are running firewall s/w on the machine, add the source IP of the
attempt to whatever table is used to block that user. If you're running
Cisco routers, execute a tcl script to add the IP to your access list.
Lots of different choices depending on how serious this is to your
environment and the resources available to you.