Anyone know how to clear the memory of a hack attempt determined by Synchronet?
Hey,
Anyone know how to clear the memory of a hack attempt determined by Synchronet? Basically I'm trying to write OSSEC rules, /and/ test them by repeatedly hammering the server with random usernames (pulled from /usr/share/dict/words randomly).
So far, I'm getting very close to finishing up a decoder and alert responce action, but as I keep testing, it keeps slowing down because of the slowdown options Synchronet has in sbbs.ini for this.
I just want to clear the attempts (it's not being blocked/canned specifically), and let it start back over from scratch as if it's the first time ever. :)
Anyone know how to clear the memory of a hack attempt determined by
Synchronet?
Just editing the hack log and logging in with the correct password should do the trick.
Re: Hack Attempt Log -- How to purge that..
By: Deuce to Psi-Jack on Sun Jul 26 2015 10:35 pm
Anyone know how to clear the memory of a hack attempt determined by
Synchronet?
Just editing the hack log and logging in with the correct password should do the trick.
Heh. I seemed to have been caught between a chicken and egg problem. While I had truncated the hack.log, restarted sbbs, ossec, I didn't realize, was also performing auto-responce by blocking the IP for a time frame.
Which is perfect, and what I wanted, I just didn't know it did that at level 9, or at all by default. :)
Either way. I now have it setup so that OSSEC handles it more directly, and Synchronet is configured to only account for 2 nick attempts that are unique before reporting. The 5th failed attempt of course will yield a firm iptables response.
Now, if only Synchronet logged the actual IP address of an Unknown user in the syslog, on the same line as the unknown user, username, etc. OSSEC has very minimal log parsing functionality, and so long as it can find all its details it needs to match on on a single line, it can be useful. hack.log was a special case since it's a multiline with a specific number of lines, which is also plausible with OSSEC.
Anyone know how to clear the memory of a hack attempt determined by
Synchronet?
Just editing the hack log and logging in with the correct password
should do the trick.
Heh. I seemed to have been caught between a chicken and egg problem.
While I had truncated the hack.log, restarted sbbs, ossec, I didn't
realize, was also performing auto-responce by blocking the IP for a
time frame.
Truncating the hack.log won't actually change the behavior of sbbs at all.
Which is perfect, and what I wanted, I just didn't know it did that at
level 9, or at all by default. :)
Either way. I now have it setup so that OSSEC handles it more
directly, and Synchronet is configured to only account for 2 nick
attempts that are unique before reporting. The 5th failed attempt of
course will yield a firm iptables response.
Now, if only Synchronet logged the actual IP address of an Unknown
user in the syslog, on the same line as the unknown user, username,
etc. OSSEC has very minimal log parsing functionality, and so long as
it can find all its details it needs to match on on a single line, it
can be useful. hack.log was a special case since it's a multiline with
a specific number of lines, which is also plausible with OSSEC.
So, is that a feature request or is parsing the hack.log sufficient for your needs?
Now, if only Synchronet logged the actual IP address of an Unknown
user in the syslog, on the same line as the unknown user, username,
etc. OSSEC has very minimal log parsing functionality, and so long as
it can find all its details it needs to match on on a single line, it
can be useful. hack.log was a special case since it's a multiline with
a specific number of lines, which is also plausible with OSSEC.
So, is that a feature request or is parsing the hack.log sufficient for your needs?
Actually... I have 2 feature requests. Both very small and minor, but for the purpose of log analysis (and some limitations in them too).
Synchronet itself logs unknown login attempts, but does not provide any more details on the same line.
I'd honestly prefer OSSEC to watch that,
specifically, but I need more details. Specifically what would be nice on that is three key parts. The username being attempted, which is already there. The ip address (or dns.name [ip.add.ress]), and the port number being failed on
(23 for telnet, 22 for ssh, etc etc). OSSEC as it is sadly can't/won't parse named ports, but will work with numerical ports.
The reason I'd rather use the UNKNOWN user, is those are obviously 90% going to be bots or real hack attempt events, and would specifically allow identification of a series of attempts, even if to the same username with different password.
Second would be on the FAILED password attempts, the same information. And in some ways, I'd prefer that the actual password not be logged, though the attempted password is fine.
I know at the sysop level, watching the logs and
seeing that, you could tell if someone is just making a typo, but I can also do that by directly using the user editor and looking at their password there and comparing. Not logging the actual password itself would be preferred, but not specifically what I'm asking for, though. Just origin IP address and destination port (source port could be tracked too, but I usually find that's less relevant, however /sometimes/ useful even still.)
If these were added I could work with OSSEC a little further, making it monitor both srcip, dstport, dstuser, and should it be a simple matter of a user typoing their password, I could both account for multiple failed attempts to the same user, multiple users, and escelate to auto-responce or de-escelate upon successful login (which also adds, the need for those srcip, dstport, dstuser on successful Logon too, which is a 3rd feature request. :)
There was one feature/bug I noticed too in the hack.log, in the case of the AUT LOGIN type being used, if \n existed in the username (maybe password field too, not sure)., where that was treated literally and printed as such in the hack.log, causing:
SUSPECTED RLogin LOGIN HACK ATTEMPT for user 'blah
' on Mon Jul 27 2015 09:35pm
Using port 53978 at hostname [ip.add.re.ss]
Details: blah
As OSSEC can only do specific multiline parsing on consistent line numbers, this breaks that consistency by outputting 5, or even potentially 6 with the Details line if that's not accounted for there too.
Now, if only Synchronet logged the actual IP address of an Unknown
user in the syslog, on the same line as the unknown user, username,
etc. OSSEC has very minimal log parsing functionality, and so long
as it can find all its details it needs to match on on a single
line, it can be useful. hack.log was a special case since it's a
multiline with a specific number of lines, which is also plausible
with OSSEC.
So, is that a feature request or is parsing the hack.log
sufficient for your needs?
Actually... I have 2 feature requests. Both very small and minor, but
for the purpose of log analysis (and some limitations in them too).
Synchronet itself logs unknown login attempts, but does not provide
any more details on the same line.
When you say 'Synchronet', I think you might be referring specifically to the terminal server and not all Synchronet servers and services. The method and form of the logging failed login attempts in the non-terminal servers/services is varied. The only common log (to all servers/services) is the hack.log.
So you want to add the source IP (or hostname) and the destination TCP port to all failed login attempts? That would make those specific log entries pretty long. I'll give it some thought.
For UNKNOWN users, I'd like it to specifically say UNKNOWN somewhere on the log entry. Along with that, the service port number attempted on. With
those two specific details I could setup OSSEC to handle UNKNOWN users and known users differently and detect port variations as well.
In example:
SUSPECTED RLogin LOGIN HACK ATTEMPT for UNKNOWN user 'blah' on Mon Jun 27 2015 09:35pm
Using port 53978 at myhostname.com:513 [123.145.167.189:513]
Details: pass
Something as simple as that would allow for OSSEC to account for an unknown user more accurately, as well as a known user just typing in their password wrong, without the UNKNOWN part.
Along with that however, the actual successful login of a user as well, I would need details just the same.
Say user X types their password wrong once, maybe twice. No big deal, it
are you really getting attacked this bad or is this your assburger's
Re: Hack Attempt Log -- How to purge that..
By: Mro to Psi-Jack on Tue Jul 28 2015 14:49:48
are you really getting attacked this bad or is this your assburger's
I dont know about him, but I am. Logon prompt node 1, then logon prompt node 2, and node 1 stops, ad infinitum. All day long. Nobody ever logs in,
and the ip address is untraceable.
I dont know about him, but I am. Logon prompt node 1, then logon prompt node 2, and node 1 stops, ad infinitum. All day long. Nobody ever logs
in, and the ip address is untraceable.
Re: Hack Attempt Log -- How to purge that..in,
By: Mro to Psi-Jack on Tue Jul 28 2015 14:49:48
are you really getting attacked this bad or is this your assburger's
I dont know about him, but I am. Logon prompt node 1, then logon prompt node 2, and node 1 stops, ad infinitum. All day long. Nobody ever logs
and the ip address is untraceable.
IP addresses are never untracable... if they are not returning a domain name, that's no problem at all... you can still find out who owns the address with the proper tools... whois is the first that comes to mind... in a short one can
simply plug the IP into uncle google's search and find all kinds of data about it...
I assume they can spoof IP addresses as well as phone numbers? Never thought of using Google for that though.
IP addresses are never untracable... if they are not returning a
domain name, that's no problem at all... you can still find out who
owns the address with the proper tools... whois is the first that
comes to mind... in a short one can simply plug the IP into uncle
google's search and find all kinds of data about it...
I assume they can spoof IP addresses as well as phone numbers? Never thought of using Google for that though.
I assume they can spoof IP addresses as well as phone numbers?
Never thought of using Google for that though.
TCP connections cannot spoof IPs and work... the connection has to be solid... there's a three-way handshake to set this up... UDP connections, on the other hand, are stateless and can have spoofed IPs... the difference here is that there's no such thing as a UDP telnet or ssh or rlogin or similar connection...
they cannot be spoofed...
Sysop: | MCMLXXIX |
---|---|
Location: | Prospect, CT |
Users: | 325 |
Nodes: | 10 (0 / 10) |
Uptime: | 09:44:22 |
Calls: | 510 |
Messages: | 220574 |