Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Thursday, July 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4075

New Feature: "Live" SSH Brute Force Logs and New Kippo Client

Published: 2014-07-23
Last Updated: 2014-07-23 12:33:07 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system.

To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl .

The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters").

For data we are collecting so far, see https://isc.sans.edu/ssh.html .

If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client.

By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets.

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

3 comment(s)
ISC StormCast for Wednesday, July 23rd 2014 http://isc.sans.edu/podcastdetail.html?id=4073

If you have more information or corrections regarding our diary, please share.

Recent Diaries

New Feature: "Live" SSH Brute Force Logs and New Kippo Client
published 13 hours ago by Dr. J. (3 comments)

WordPress brute force attack via wp.getUsersBlogs
published 1 day ago by Daniel (3 comments)

App "telemetry"
published 1 day ago by Daniel (6 comments)

Ivan's Order of Magnitude
published 2 days ago by Daniel (1 comment)

OWASP Zed Attack Proxy
published 2 days ago by Adrien de Beaupre (1 comment)

Keeping the RATs out: the trap is sprung - Part 3
published 4 days ago by Russ McRee (4 comments)

Gameover Zeus reported as "returned from the dead"
published 5 days ago by Russ McRee (0 comments)

Keeping the RATs out: **it happens - Part 2
published 5 days ago by Russ McRee (0 comments)

View All Diaries →

Latest Discussions

DSHIELD with fail2ban
created 1 week ago by Ernest (0 replies)

Router Upgrade
created 1 week ago by ICI2Eye (1 reply)

ENDPOINT SERVICE DEFINITIONS (TCP/UDP)
created 2 weeks ago by Ratatosk (1 reply)

Router- FW Upgrade
created 2 weeks ago by ICI2Eye (0 replies)

Malware infected ATMs in China via specialized device
created 3 weeks ago by Safensoft (0 replies)

View All Forums →

Latest News

View All News →