Forum Moderators: phranque
I am tired of password cracking attempts and would greatly appreciate some insight.
I know that after several (i.e 10+) unsucessful username/password attepmts from the same IP, I am getting attacked.
I know that some of the more crafty dipsh1+5 use open proxies to make rapid-fire attempts from a myriad of IPs.
The latter attack profile makes it hard to create a script that notifies me via e-mail.
I am just starting with perl.
Can anyone suggest a relatively succesful manner to notify me via e-mail and possibly thwart these annoying suckers of my patientce and bandwidth.
Possibly a crontab run script that will parse my raw logs and return an e-mail report if the following conditions become apparent:
1. more that 5 unsuccessful attempts using different usernames from the same IP
2. more than 10 uncucessful surepitious (within a set time period) attempts from varying IPs
Ideally, this script would run every 5 minutes or so and do the following:
1. check for the attack profiles listed above
2. if the profile is detected:
(a.)catch the IP or IPs
(b.)check for the reverse for the IP or IPs
(c.)perform a tracert to the IP or IPs
(d.)add a mod_rewrite to block the IP if it is only one
or temporarily suspend access to protected resource
(e.)create a text file and e-mail it to me including all
of the info and the mod that was applied
I know that I may be answering my own question here, but it wold be nice to get some feedback and maybe some pointers on a good way to create/implement this script.
Thanks in advance.
[edited by: tedster at 9:00 pm (utc) on Nov. 25, 2003]
I record bad logon attempts in a file with a timestamp.
Every now and again, I download the file and take a look at it.
At one point, I had the log-in script do this:
That way, I was getting a summarized notification at most once an hour.
Forgot to say: "welcome to WebmasterWorld!"
Welcome to WebmasterWorld!
1. Display a suitable 401 error page with legal warnings.
Everyone who uses a password cracking tool initially tries to enter your private area 'manually'. i.e. they click the members area link to see what happens.
If you display a warning that any password cracking attempts will result in civil / criminal prosecution that will get rid of a lot of them. Believe me, whilst it does not stop the hard and fast crackers, it will stop those curious newbies.
2. Ensure your log file is set to capture the X_FORWARDED_FOR ip address. In nearly every cracking attempt there will be proxies which leak the true client ip address. The cracker does not know this, he runs his checks on latest proxies but he never knows if a few hours later a techie has turned the feature on the proxy.
In a sustained attack you will get the true client IP address, you will be able to trace it back to an ISP.
3. Parse your logs (I use excel, easier to sort on X_FORWARDED_FOR) and lookup the abuse contact. If this is a large ISP then don't bother sumbitting via email. Get the name and number of the main man. If you talk to them directly you will get swifter action.
4. Fool the suckers into thinking they have won by moving the goalposts.
The password cracking tools flood .htaccess area with a list of names and passswords. If a 200 code is returned then this is logged and chummy stops. So give him some 200's!
The way I do this is to temporarily rename the .htaccess file to .htaccesstemp. Do this for 5 seconds, then rename it back. Repeat this for a few minutes (I run a script called chaff which does this for me. What happens is that chummy's screen fills up with lots of positives, but they are false positives.
Another option is to move the .htaccess file around. I have a dir structure:
members\summer_widgets
members\winter_widgets
The .htaccess file sits in the members dir. And this is where chummy launches his attack. What I do next is to copy the .htaccess to members\summer_widgets AND members\winter_widgets and then delete the .htaccess from members.
This causes no problems for valid members but it then gives chummy thousands of false positives! He thinks he's broken into your secure area, but all you have done is given him access to the front porch - inside is still locked.
Summary
-------
Post a suitable warning that you WILL prosecute for theft.
If you can keep changing the goal posts he will get bored and leave you alone.
