Noob submits help request #72
Description
https://github.com/jullrich/ISC-Bugs
DEBUG ID (please copy/paste these lines to the bugreport:
68.50.128.179
Tue, 25 Jan 2022 17:32:17 +0000
63295f019d0058f07e4e4147de20fc12d3bc3a8a
This is my 1st try to submit a bug-report/help-request (br/hr).
Since update dshield to ver 91, my dshield has some 'files not found'.
Tried to find guidelines for submitting br/hr (glfs/br/hr).
All I found were:
1/ BUG ID
2/ "Don't submit any PII"
Today, please point me to glfs/br/hr re: dshield.
Hopefully, glfs/br/hr will explain "full URL" as used in following phrase:
"To report a bug, please include the full URL, ..."
Ah, just discovered and reviewed https://docs.github.com/en/github/site-policy/github-community-guidelines
Good stuff, but nothing specific to dshield.
regards,
=-=-=-=-=-=-
localhost:~ # /root/dshield/bin/status.sh
#########
DShield Sensor Configuration and Status Summary
#########
Current Time/Date: 2022-01-26 11:26:12
API Key configuration ok
Your software is up to date.
Honeypot Version: 91
Configuration Summary
E-mail :
API Key:
User-ID:
My Internal IP:
My External IP:
Are My Reports Received?
Last 404/Web Logs Received: 2022-01-26 15:00:25
Last SSH/Telnet Log Received: 2022-01-26 15:48:00
Last Firewall Log Received: 2022-01-26 16:00:26
Are the submit scripts running?
Last Firewall Log Processed: 2022-01-26 10:37:39
All Logs are processed. You are not sending too many logs
Checking various files
OK: /var/log/dshield.log
OK: /etc/cron.d/dshield
OK: /etc/dshield.ini
OK: /srv/cowrie/cowrie.cfg
OK: /etc/rsyslog.d/dshield.conf
OK: ip-firewall rules
OK: webserver exposed
also check https://isc.sans.edu/myreports.html (after logging in)
to see that your reports arrive.
It may take an hour for new reports to show up.
localhost:~ # uname -a
Linux localhost 5.3.18-lp152.106-default #1 SMP Mon Nov 22 08:38:17 UTC 2021 (52078fe) x86_64 x86_64 x86_64 GNU/Linux
localhost:~ #
regards,
=-=-=-=-=-=-
2022-01-27
localhost:~ # ls -l /var/log/mail
-rw-r----- 1 root root 931554 Jan 27 03:00 /var/log/mail
localhost:~ # ls -l /var/spool/mail
total 1144
-rw-rw---- 1 cowrie mail 0 Jul 25 2021 cowrie
-rw------- 1 root root 1167392 Jan 27 03:00 root
localhost:~ # cd /var/spool/mail/
localhost:/var/spool/mail # grep -i subject root
Subject: Cron root@localhost /srv/dshield/fwlogparser.py
Subject: Cron root@localhost cd /srv/dshield; ./weblogsubmit.py ; ./webpy.sh
Subject: Cron root@localhost cd /srv/dshield; ./weblogsubmit.py ; ./webpy.sh
. . .
Subject: Cron root@localhost cd /srv/dshield; ./weblogsubmit.py ; sleep 10; ./webpy.sh
Subject: Cron root@localhost cd /srv/dshield; ./weblogsubmit.py ; sleep 10; ./webpy.sh
Subject: Cron root@localhost cd /root/iptables; ./iptables.pl > /root/iptables/debug.txt
localhost:/var/spool/mail # grep -i subject root | wc -l
1363
localhost:/var/spool/mail # grep -i subject root | sort | uniq
Subject: Cron root@localhost /srv/dshield/fwlogparser.py
Subject: Cron root@localhost cd /etc/network; iptables-restore < iptables-restore
Subject: Cron root@localhost cd /root/dshield/bin; ./update.sh --cron >/dev/null
Subject: Cron root@localhost cd /root/iptables; ./iptables.pl > /root/iptables/debug.txt
Subject: Cron root@localhost cd /srv/dshield; ./status.sh >/dev/null
Subject: Cron root@localhost cd /srv/dshield; ./weblogsubmit.py ; ./webpy.sh
Subject: Cron root@localhost cd /srv/dshield; ./weblogsubmit.py ; sleep 10; ./webpy.sh
Subject: cronjob@localhost - hourly - FAILURE
localhost:/var/spool/mail # more /etc/cron.d/dshield
28,58 * * * * root cd /srv/dshield; ./weblogsubmit.py ; sleep 10; ./webpy.sh
28,58 * * * * root /srv/dshield/fwlogparser.py
37 17 * * * root cd /root/dshield/bin; ./update.sh --cron >/dev/null
38 9 * * * root /sbin/reboot
33 9 * * * root cd /srv/dshield; ./status.sh >/dev/null
localhost:/var/spool/mail #
localhost:/var/spool/mail # /root/dshield/bin/status.sh
#########
DShield Sensor Configuration and Status Summary
#########
Current Time/Date: 2022-01-27 06:39:05
API Key configuration ok
Your software is up to date.
Honeypot Version: 91
Configuration Summary
E-mail :
API Key:
User-ID:
My Internal IP:
My External IP:
Are My Reports Received?
Last 404/Web Logs Received: 2022-01-27 01:30:35
Last SSH/Telnet Log Received: 2022-01-27 10:48:19
Last Firewall Log Received: 2022-01-27 11:30:34
Are the submit scripts running?
Last Firewall Log Processed: 2022-01-27 06:27:59
All Logs are processed. You are not sending too many logs
Checking various files
OK: /var/log/dshield.log
OK: /etc/cron.d/dshield
OK: /etc/dshield.ini
OK: /srv/cowrie/cowrie.cfg
OK: /etc/rsyslog.d/dshield.conf
OK: ip-firewall rules
OK: webserver exposed
also check https://isc.sans.edu/myreports.html (after logging in)
to see that your reports arrive.
It may take an hour for new reports to show up.
localhost:/var/spool/mail #
localhost:~ # ls -l /var/log/dshield.log
-rw-r----- 1 root root 2913771 Jan 27 08:06 /var/log/dshield.log
localhost:~ # head /var/log/dshield.log
1643259605 localhost kernel:[51684.741906] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=185.227.152.166 DST=192.168.0.99 LEN=52 TOS=0x10 PREC=0x00 TTL=38 ID=23003 DF PROTO=TCP SPT=44194 DPT=22 WINDOW=63443 RES=0x00 SYN URGP=0
1643259607 localhost kernel:[51686.925353] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=89.248.162.161 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x20 TTL=236 ID=58754 PROTO=TCP SPT=56585 DPT=6966 WINDOW=1024 RES=0x00 SYN URGP=0
1643259611 localhost kernel:[51690.976063] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=94.232.45.4 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x20 TTL=234 ID=31346 PROTO=TCP SPT=49765 DPT=8365 WINDOW=1024 RES=0x00 SYN URGP=0
1643259612 localhost kernel:[51691.443116] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=193.27.228.179 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x20 TTL=236 ID=43957 PROTO=TCP SPT=51735 DPT=5664 WINDOW=1024 RES=0x00 SYN URGP=0
1643259615 localhost kernel:[51694.925546] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=180.76.124.150 DST=192.168.0.99 LEN=60 TOS=0x10 PREC=0x00 TTL=32 ID=11718 DF PROTO=TCP SPT=58678 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
1643259615 localhost kernel:[51695.352622] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=190.15.222.52 DST=192.168.0.99 LEN=60 TOS=0x00 PREC=0x20 TTL=53 ID=17611 DF PROTO=TCP SPT=59234 DPT=2222 WINDOW=5840 RES=0x00 SYN URGP=0
1643259617 localhost kernel:[51697.109074] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=193.27.228.179 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x20 TTL=235 ID=47339 PROTO=TCP SPT=51735 DPT=5361 WINDOW=1024 RES=0x00 SYN URGP=0
1643259619 localhost kernel:[51698.419296] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=45.155.205.218 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x20 TTL=235 ID=48746 PROTO=TCP SPT=51703 DPT=8099 WINDOW=1024 RES=0x00 SYN URGP=0
1643259627 localhost kernel:[51707.230659] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=161.35.58.169 DST=192.168.0.99 LEN=60 TOS=0x00 PREC=0x20 TTL=53 ID=7573 DF PROTO=TCP SPT=33468 DPT=2222 WINDOW=64240 RES=0x00 SYN URGP=0
1643259630 localhost kernel:[51709.989210] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=193.27.228.179 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x20 TTL=235 ID=15987 PROTO=TCP SPT=51735 DPT=6522 WINDOW=1024 RES=0x00 SYN URGP=0
localhost:~ # tail /var/log/dshield.log
1643288812 localhost kernel:[80891.596213] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=181.30.28.198 DST=192.168.0.99 LEN=60 TOS=0x00 PREC=0x20 TTL=38 ID=34783 DF PROTO=TCP SPT=46840 DPT=2222 WINDOW=42340 RES=0x00 SYN URGP=0
1643288820 localhost kernel:[80899.568373] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=1.116.200.77 DST=192.168.0.99 LEN=60 TOS=0x10 PREC=0x00 TTL=36 ID=7888 DF PROTO=TCP SPT=57866 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
1643288836 localhost kernel:[80915.880332] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=35.228.169.211 DST=192.168.0.99 LEN=60 TOS=0x10 PREC=0x00 TTL=50 ID=4294 DF PROTO=TCP SPT=45538 DPT=22 WINDOW=28400 RES=0x00 SYN URGP=0
1643288839 localhost kernel:[80919.102877] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=139.59.169.103 DST=192.168.0.99 LEN=60 TOS=0x10 PREC=0x00 TTL=41 ID=31021 DF PROTO=TCP SPT=48636 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
1643288845 localhost kernel:[80925.067937] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=139.162.145.250 DST=192.168.0.99 LEN=40 TOS=0x08 PREC=0x00 TTL=239 ID=54321 PROTO=TCP SPT=55979 DPT=20 WINDOW=65535 RES=0x00 SYN URGP=0
1643288846 localhost kernel:[80925.485934] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=146.56.235.195 DST=192.168.0.99 LEN=60 TOS=0x10 PREC=0x00 TTL=35 ID=2248 DF PROTO=TCP SPT=58846 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
1643288848 localhost kernel:[80927.977352] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=93.148.246.51 DST=192.168.0.99 LEN=60 TOS=0x10 PREC=0x00 TTL=42 ID=2775 DF PROTO=TCP SPT=33320 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
1643288859 localhost kernel:[80938.779097] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=181.169.41.5 DST=192.168.0.99 LEN=60 TOS=0x00 PREC=0x20 TTL=37 ID=52082 DF PROTO=TCP SPT=36730 DPT=2222 WINDOW=29200 RES=0x00 SYN URGP=0
1643288864 localhost kernel:[80943.253936] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=1.116.200.77 DST=192.168.0.99 LEN=60 TOS=0x10 PREC=0x00 TTL=34 ID=33724 DF PROTO=TCP SPT=38052 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
1643288866 localhost kernel:[80945.820443] DSHIELDINPUT IN=eth0 OUT= MAC=ec:9a:74:4e:eb:45:8c:5a:25:be:f5:36:08:00 SRC=185.191.34.87 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x20 TTL=236 ID=11138 PROTO=TCP SPT=51470 DPT=40604 WINDOW=1024 RES=0x00 SYN URGP=0
localhost:~ # ls -l /etc/dshield.ini
-rw------- 1 root root 527 Jan 8 11:13 /etc/dshield.ini
localhost:~ # more /etc/dshield.ini
[DShield]
interface=eth0
version=91
email=
userid=
apikey=
piid=
the following lines will be used by a new feature of the submit code:
replace IP with other value and / or anonymize parts of the IP
honeypotip=
replacehoneypotip=
anonymizeip=
anonymizemask=
fwlogfile=/var/log/dshield.log
nofwlogging=
localips=
adminports=
nohoneyips=
nohoneports=''
manualupdates=0
telnet=true
localhost:~ #
<how much to redact of following three files, before submitting to this website?
OK: /srv/cowrie/cowrie.cfg
OK: /etc/rsyslog.d/dshield.conf
OK: ip-firewall rules
Regards,