BRO не регистрирует ssh, когда пользователь найден PAM
Выход Hydra с использованием hydra -L ~/Documents/wordlists/Aliases.txt -P ~/Documents/wordlists/shortlist.txt -M servers.txt ssh -t 4 -V
sharp67пользователь в PAM иaaron1не является.
[ATTEMPT] target 172.xx.x.12 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 1]
[ATTEMPT] target 172.xx.x.34 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 3]
[ATTEMPT] target 172.xx.x.40 - login "sharp67" - pass "aaaaaaay" - 25 of 390364 [child 12]
[ATTEMPT] target 172.xx.x.12 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 13]
[ATTEMPT] target 172.xx.x.40 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 18]
[ATTEMPT] target 172.xx.x.12 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 19]
[ATTEMPT] target 172.xx.x.40 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 0]
[ATTEMPT] target 172.xx.x.34 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 15]
[ATTEMPT] target 172.xx.x.33 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 14]
[ATTEMPT] target 172.xx.x.40 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 6]
[ATTEMPT] target brotest-01.xxxxxx.edu- login "sharp67" - pass "aaaaaaay" - 25 of 390364 [child 16]
[ATTEMPT] target 172.xx.x.33 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 8]
[ATTEMPT] target 172.xx.x.34 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 9]
[ATTEMPT] target 172.xx.x.33 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 20]
[ATTEMPT] target brotest-01.xxxxx.edu - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 22]
[ATTEMPT] target brotest-01.xxxxx.edu - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 10]
Ниже приведен фрагмент из notice.log Syslog::Password_Guessing была попытка обойти мою текущую проблему. Syslog::Password_Guessing содержит код, скопированный прямо из /usr/local/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro и просто регистрирует, если AUTH_PRIV замечен более одного раза в syslog.log, Однако, хотя он работает, он не использует правильный IP-адрес orig_h. Он использует локальный IP, а не мой IP, как видно по умолчанию SSH::Password_Guessing,
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
1533049771.315720 - - - - - - - - - Syslog::Password_Guessing 172.xx.x.34 appears to be guessing SSH passwords (seen in 6 connections). Syslog Sampled servers: 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx 172.xx.x.34 - - - worker-4-13 Notice::ACTION_LOG 3600.000000 F - - - - -
1533050443.932235 - - - - - - - - - SSH::Password_Guessing 10.xxx.xx.81 appears to be guessing SSH passwords (seen in 6 connections). Sampled servers: 172.xx.x.34, 172.xx.x.34, 172.xx.x.34, 172.xx.x.33, 172.xx.x.33 10.xxx.xx.81 -- - worker-0-1 Notice::ACTION_LOG 3600.000000 F - - - - -
В настоящее время по умолчанию SSH::Password_Guessing не работает, если пользователь не получает ошибку PAM user unknown,
/var/logs/secure from brotest-01 while using sharp67
Jul 31 11:20:38 brotest-01 sshd[40996]: Failed password for sharp67 from 10.186.13.81 port 39590 ssh2
Jul 31 11:20:38 brotest-01 sshd[40996]: error: maximum authentication attempts exceeded for sharp67 from 10.xxx.xx.81 port 39590 ssh2 [preauth]
Jul 31 11:20:38 brotest-01 sshd[40996]: Disconnecting: Too many authentication failures [preauth]
Jul 31 11:20:38 brotest-01 sshd[40997]: Failed password for sharp67 from 10.xxx.xx.81 port 39602 ssh2
Jul 31 11:20:38 brotest-01 sshd[40997]: error: maximum authentication attempts exceeded for sharp67 from 10.xxx.xx.81 port 39602 ssh2 [preauth]
Jul 31 11:20:38 brotest-01 sshd[40997]: Disconnecting: Too many authentication failures [preauth]
А вот и
/var/log/secure on brotest-01 for aaron1
Jul 31 11:21:06 brotest-01 sshd[41008]: pam_unix(sshd:auth): check pass; user unknown
Jul 31 11:21:08 brotest-01 sshd[41007]: Failed password for invalid user aaron1 from 10.xxx.xx.81 port 39664 ssh2
Jul 31 11:21:08 brotest-01 sshd[41007]: error: maximum authentication attempts exceeded for invalid user aaron1 from 10.xxx.xx.81 port 39664 ssh2 [preauth]
Jul 31 11:21:08 brotest-01 sshd[41007]: Disconnecting: Too many authentication failures [preauth]
в ssh.log если пользователь не существует в PAM, auth_success поле почти мгновенно изменится с - в F в то время как если пользователь существует, auth_success поле останется как - гораздо дольше, что я считаю, поэтому он не может генерировать SSH::Password_Guessing,
Я действительно в растерянности относительно того, почему это происходит. Это проблема с PAM? PAM сбрасывает соединение, которое затем не позволяет Bro регистрировать его как неудачную попытку SSH? Нужно ли мне останавливать PAM-соединение для разрыва соединения или мне нужно найти способ использовать IP-адрес SSH-соединения вместо IP-адреса, который генерирует системный журнал? Любая помощь или вклад будет принята с благодарностью, спасибо.
[РЕДАКТИРОВАТЬ]: Ниже приведены изменения, которые я сделал в `/usr/local/bro/share/bro/base/protocols/syslog/main.bro
##! Core script support for logging syslog messages. This script represents
##! one syslog message as one logged record.
@load ./consts
@load base/protocols/ssh
module Syslog;
export {
redef enum Log::ID += { LOG };
## The record type which contains the fields of the syslog log.
type Info: record {
## Timestamp when the syslog message was seen.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## Protocol over which the message was seen.
proto: transport_proto &log;
## Syslog facility for the message.
facility: string &log;
## Syslog severity for the message.
severity: string &log;
## The plain text message.
message: string &log;
};
}
redef record connection += {
syslog: Info &optional;
};
const ports = { 514/udp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
}
# Added
module SSH;
event ssh_fail()
{
local c: SSH::Info;
local t: record {
ts: time &log;
uid: string &log;
id: conn_id &log;
version: count &log;
auth_success: bool &log &optional;
auth_attempts: count &log &optional;
direction: Direction &log &optional;
client: string &log &optional;
server: string &log &optional;
cipher_alg: string &log &optional;
mac_alg: string &log &optional;
compression_alg: string &log &optional;
kex_alg: string &log &optional;
host_key_alg: string &log &optional;
host_key: string &log &optional;
};
local p: connection;
#event log_ssh(c);
event ssh_auth_failed(p);
return;
}
module Syslog;
event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
{
local info: Info;
info$ts=network_time();
info$uid=c$uid;
info$id=c$id;
info$proto=get_port_transport_proto(c$id$resp_p);
info$facility=facility_codes[facility];
info$severity=severity_codes[severity];
info$message=msg;
#if (info$facility=="AUTHPRIV" && info$severity=="ERR"){
# event ssh_fail();
#}
c$syslog = info;
}
# Added
const logCount= 0&redef;
function logUp(i: count): count
{
local Up = i+1;
return Up;
}
event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5
{
local info: Info;
#local logCount = 0;
Log::write(Syslog::LOG, c$syslog);
# More Changes below
if (info$facility=="AUTHPRIV" && info$severity=="ERR"){
event ssh_fail();
}
#Log::write(Syslog::LOG, c$syslog);
}