Threat intelligence using lastb

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
By default, the SSH (Secure Socket Shell or just Secure Shell) protocol uses port 22.

More specifically, an SSH client connects on port 22 to the server running an sshd (SSH Daemon); a listener for the SSH protocol to function.

When an individual attempts logging into your SSH service, your server should be logging attempts to utmp-like files.

https://en.wikipedia.org/wiki/Utmp said:
utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keep track of all logins and logouts to the system.

Let's go find these logs!
Code:
cd /var/log
ls -la | grep utmp

I am seeing these:
Code:
root@get:/var/log# ls -la | grep utmp
-rw-rw----   1 root      utmp            2193792 Nov 21 15:41 btmp
-rw-rw-r--   1 root      utmp              32412 Nov 21 13:27 lastlog
-rw-rw-r--   1 root      utmp               5760 Nov 21 13:27 wtmp

We can use a tool by name of utmpdump on these files.

For example:
Code:
utmpdump btmp

Understand that on Ubuntu, btmp and lastb will share similar information, compare them (reading one backwards) while lastlog logs (/var/log/lastlog) simply match the lastlog (/usr/bin/lastlog) program name:
Code:
utmpdump btmp
lastb -10

Shows me:
Code:
[6] [31011] [    ] [leil    ] [ssh:notty   ] [106.52.50.225       ] [106.52.50.225  ] [2019-11-21T15:42:33,000000+00:00]
[6] [31011] [    ] [leil    ] [ssh:notty   ] [106.52.50.225       ] [106.52.50.225  ] [2019-11-21T15:42:35,000000+00:00]
[6] [31019] [    ] [root    ] [ssh:notty   ] [222.186.52.78       ] [222.186.52.78  ] [2019-11-21T15:43:10,000000+00:00]
[6] [31019] [    ] [root    ] [ssh:notty   ] [222.186.52.78       ] [222.186.52.78  ] [2019-11-21T15:43:13,000000+00:00]
[6] [31019] [    ] [root    ] [ssh:notty   ] [222.186.52.78       ] [222.186.52.78  ] [2019-11-21T15:43:17,000000+00:00]

This information can be dumped out of these logs, the logs can then be wiped (if wanted) once statistics are collected. Otherwise it is likely the default Linux logrotate settings will start working at your logging files.

To check your logrotate settings simply go here and list files:
Code:
/etc/logrotate.d
ls -la

An example config we can edit with nano nginx can be shown:
Code:
/var/log/nginx/*.log {
        daily
        missingok
        rotate 14
        compress
        delaycompress
        notifempty
        create 0640 www-data adm
        sharedscripts
        prerotate
                if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
                        run-parts /etc/logrotate.d/httpd-prerotate; \
                fi \
        endscript
        postrotate
                invoke-rc.d nginx rotate >/dev/null 2>&1
        endscript
}

I could go on forever about logrotate for example mailing logs and common annoyances if we don't RTFM (read the fucking manual) but we should get back on track to counting out IP addresses with failed logins now!

Code:
cd /var/log

The utmpdump program allows you to follow appended data as the log is growing
Code:
utmpdump btmp -f

Now anytime someone tries connecting to SSH, I will see the username they supplied right away.

For quick analysis on this information, we want to output/write this file somewhere to parse.

Code:
root@get:/var/log# utmpdump btmp -o /root/spawnstar

Now let's go look at our new spawnstar dumped log!
Code:
cd /root/
cat spawnstar

Looks pretty damn beautiful, time to parse this fuckin' log - we have done other parsing with bash.

What usernames are being used?
Code:
cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1

We can sort this for a little more sexy view like cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1 | sort.

Redundant data, how can we get the counts?
Code:
cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1 | sort | uniq -c | sort -n

This gives you the real shit you wanted:
Code:
     10 nagios
     10 named
     10 oracle
     10 support
     11 uucp
     12 123
     12 ching
     12 hung
     12 lisa
     12 web
     12 webadmin
     12 www
     14 apache
     14 operator
     16 123456
     16 gdm
     16 http
     16 webmaster
     16 wwwrun
     18 dovecot
     18 host
     18 rpc
     18 squid
     20 pcap
     22 vcsa
     46 backup
     66 guest
     66 mysql
     72 test
     90 server
    152 admin
   1563 root

If you are anything like me, you know whitespace is basically TOTAL FUCKING AIDS.

Simple fix
Code:
cat spawnstar | cut -d "[" -f 5 | cut -d "]" -f 1 | sort | uniq -c | sort -n | awk '{$1=$1};1'

And here we have the cleanly presented data on what usernames are most commonly being tried (this is in about 24h, we just launched our new download server):
Code:
6 ts3
7 mail
8 daemon
8 ftpuser
8 info
8 nobody
8 postgres
8 ssh
8 ubuntu
8 user
8 wwwadmin
8 www-data
8 yoyo
10 asterisk
10 bin
10 hadoop
10 home
10 ident
10 nagios
10 named
10 oracle
10 support
11 uucp
12 123
12 ching
12 hung
12 lisa
12 web
12 webadmin
12 www
14 apache
14 operator
16 123456
16 gdm
16 http
16 webmaster
16 wwwrun
18 dovecot
18 host
18 rpc
18 squid
20 pcap
22 vcsa
46 backup
66 guest
66 mysql
72 test
90 server
152 admin
1563 root

So having username data is kind of cool, but we probably want to know what hosts are being assholes - give me the IP! Also, thank fuck SSH does not use UDP which would practically allow anyone to flood the piss out of your logs with spoofed IP addresses - oh hell. Some clown tried saying "Let's do SSH UDP," no sir.

Let's just touch the cat again - hehehe.
Code:
cat spawnstar

Okay, stare closely at the [ characters and count them all:
Code:
[6] [31151] [    ] [root    ] [ssh:notty   ] [222.186.52.78       ] [222.186.52.78  ] [2019-11-21T15:57:02,000000+00:00]

Lazy? Fine h03.
Code:
cat spawnstar | grep "\["
Count the red characters over to the IP address. I counted 6, hopefully we can agree? Just add 1 to that number for the cut command because by default 1 starts on the left side of the character, to get to the right we add the 1.
1574352924007.png

Pay close attention to the -f 7 part, that is what I meant about adding 1 to the 6 "[" over.
Code:
cat spawnstar | cut -d "[" -f 7 | cut -d "]" -f 1

Now we see something like:
Code:
40.83.184.32
112.217.207.130
112.217.207.130
182.61.136.53
129.226.67.136
222.186.52.78
222.186.52.78
222.186.52.78

This should work, now applying the similar code about counting recurring data:
Code:
cat spawnstar | cut -d "[" -f 7 | cut -d "]" -f 1 | sort | uniq -c | sort -n | awk '{$1=$1};1'

We now know our noisiest hosts (neighbors) in the IPv4 space; Internet.
Code:
93 80.211.13.167
93 83.48.89.147
94 104.236.252.162
95 106.12.82.70
97 185.49.86.54
98 103.40.235.233
98 182.75.248.254
99 52.176.110.203
100 157.230.63.232
100 89.222.181.58
101 96.30.160.186
129 94.23.25.77
167 41.77.145.34
277 222.186.52.78
715 49.88.112.113

Mr. 49.88.112.113 - who the fuck do you think you are?


Oh of course, you are CHINANET jiangsu province network. Just block China, fuck that noise! Haha.. by the way, you really should be hardening your sshd configs to use an alternative port and more secure forms of authentication.

Edit your sshd config
Code:
nano /etc/ssh/sshd_config

Swap some information like
PermitRootLogin yes ---> PermitRootLogin no
#Port 22 ---> Port 9987
#MaxAuthTries 6 ---> MaxAuthTries 1
#LoginGraceTime 2m ---> LoginGraceTime 1m
#MaxSessions 10 ---> MaxSessions 2

Here are just a couple ways to harden your environment (restart sshd after changing configs via: service sshd restart), you may certainly explore more hardening options and even look into Fail2Ban for protecting SSH.
 
Last edited:
Top