New Feature: "Live" SSH Brute Force Logs and New Kippo Client
We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system.
To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl .
The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters").
For data we are collecting so far, see https://isc.sans.edu/ssh.html .
If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client.
By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets.
---
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Jul 23rd 2014
1 decade ago
Anonymous
Jul 24th 2014
1 decade ago
Possible to create a similar tool for WordPress?
We had a few WordPress sites that are subject to brute force login attempts daily.
Anonymous
Jul 24th 2014
1 decade ago
http://denyhosts.sourceforge.net/
https://github.com/jtdub/ssh_attack_report
Anonymous
Jul 24th 2014
1 decade ago
Apart from SSH, I have succesfully captured brute-force attacks against Telnet, POP3, and FTP using scripts for honeyd low-interaction honeypot. POP3 sometimes faced as many brute-force attacks as SSH. It is interesting to compare dictionaries used against different services.
Anonymous
Jul 24th 2014
1 decade ago
I am trying to use the script on my server and I am seeing following message when I submit the kippo log (./kippodshield.pl < kippo.log)
Submitting Log
Lines: 1 Bytes: 48
ERROR: Size Mismatch
ERROR: SHA1 Mismatch 32ba1ded0aedb64b48e87c779655a26c2ab7fa56
ERROR: MD5 Mismatch a149c7af6e75bf2f347b525ada2f3950
---
OS is Sci Linux 6.x
Anonymous
Jul 24th 2014
1 decade ago
Submitting Log
Lines: 1 Bytes: 48
Size OK SHA1 OK MD5 OK
Thanks.
Anonymous
Jul 24th 2014
1 decade ago
Anonymous
Jul 24th 2014
1 decade ago
Anonymous
Jul 24th 2014
1 decade ago
i cannot see https://isc.sans.edu/ssh.html page once i logged on
Anonymous
Jan 22nd 2015
9 years ago