Home

nazar edited this page Sep 12, 2010 · 14 revisions
Clone this wiki locally

What is report-hack-isp

report-hack-isp is a DenyHosts plugin that will lookup the attacker’s isp details and send an abuse report containing an excerpt of the SSHD logfile relevant to the attack.

What Do I Need?

report-hack-isp requires the following:

  1. DenyHosts.
  2. Ruby
  3. Common utilities on the server: grep, cat, host and whois

How To?

  1. Download, extract and place notify_isp.rb in convenient place (/etc/denyhosts/notify_isp.rb maybe?)
  2. Edit notify_isp.rb and replace SMTP_SERVER and SMTP_PORT as required. This, by default is set to localhost:25.
  3. Edit notify_isp.rb and replace EMAIL_FROM with your own email address
  4. Edit notify_isp.rb and replace LOG_FILE = ‘/var/log/sshd/**’ with your actual SSHD log file location
  5. You might need to touch the *EMAIL_LOG_FILE = ‘/var/log/notify_isp.log’ file initially.
  6. Check notify_isp.rb and update the sent email template in def get_email_message
  7. chmod a+x notify_isp.rb
  8. Update denyhosts.conf and point PLUGIN_DENY to your script

Metalog Users

Please note that several system loggers compress output by default. This means that if a log entry is repeated, the logger caches and outputs “Last output repeated” x times to the log file.

Please note that such compression should be turned off otherwise the DenyHosts log scanner will miss several entries.

If using MetaLog, add showrepeats = 1 to your metalog.conf file.

Why oh Why???

The last few months and particularly in the last few days (beginning of July) saw a marked increase in global SSH brute force attacks.

It is fairly easy to hack proof your server. Brute force attacks can also be thwarted by running DenyHosts on your server. DenyHosts monitors all SSHD hack attempts and blacklists the attacker. DenyHosts can also be optionally configured to share your blacklist with other DenyHosts users. This sharing of blacklists can greatly reduce SSHD attempts.

The real problem still remains. SSHD attacks are now on the increase and it is no longer sufficient to blacklist offenders.
Ideally, any SSHD hack attempt should be blacklisted, logged and most importantly; the ISP of the attacker must be notified in order to disconnect the attacking machine from the internet.

I’ve had this script running on one of my dedicated boxes for the last 12 hours and since then have received half a dozen emails from various ISPs confirming that the attacker’s servers were identified and cut off from the Internet. WIN.