API tools faq
paste
Advertisement
Guest User

wh1sk3yj4ck

a guest
Sep 29th, 2010
1,318
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.60 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. # By William 'wh1sk3yj4ck' Soderberg
  4. # E-mail: william.soderberg@gmail.com
  5.  
  6. # This script will analyze your auth.log file for brute force attacks and print you a report.
  7.  
  8. sshdInfo = dict()
  9. ip = 0
  10. time = 0
  11. attempts = 0
  12. index = 12 # index in list where IP is stored
  13.  
  14. # debugging
  15. totalFailed = 0
  16.  
  17. def checkRatio():
  18.     # Checks success/failed ratio in order to remove false positives
  19.     tmpLst = []
  20.    
  21.     for k, v in sshdInfo.iteritems():
  22.         if v[4] > 0:
  23.             # Adjust tolerance here.
  24.             # Default tolerance is 1 success of 10
  25.             if (v[4]/float(v[2])) > float(0.1):
  26.                 tmpLst.append(k)
  27.                
  28.     # Removing keys with a good ratio
  29.     for keys in tmpLst:
  30.         del sshdInfo[keys]
  31.  
  32. def check(line):
  33.     # Function that will check for failed entries in the logfile
  34.     line = line.split()
  35.    
  36.     time = line[0] + ' ' + line[1] + ' ' + line[2]
  37.    
  38.     if 'Failed' in line:
  39.         if 'invalid' in line:
  40.             storeFailed(line, index, time)
  41.         else:
  42.             storeFailed(line, index - 2, time)     
  43.     elif 'Accepted' in line:
  44.         storeSuccessful(line, time)
  45.     else
  46.         recordSession(line, time)
  47.        
  48. def storeFailed(line, index, time):
  49.     attempts = 0
  50.     success = 0
  51.     ip = line[index]
  52.            
  53.     # IP-addr. resides at index 12
  54.     if ip not in sshdInfo:
  55.         # Adds initial values to IP key
  56.         sshdInfo[ip] = [time, time, attempts, [], success]
  57.  
  58.     # If IP key already exist, then renew end time and add one to attempts
  59.     sshdInfo[ip][1] = time
  60.     sshdInfo[ip][2] += 1       
  61.  
  62. def storeSuccessful(line, time):
  63.     ip = line[10]
  64.     user = line[8]
  65.  
  66.     if ip not in sshdInfo:
  67.         # We don't need to add successful attempts that's not considered
  68.         # a brute force attempt.
  69.         return
  70.        
  71.     sshdInfo[ip][3].append(time) # adds when the acc was compromised
  72.     sshdInfo[ip][3].append(user) # adds user
  73.  
  74.     sshdInfo[ip][1] = time # adds timestamp
  75.     sshdInfo[ip][4] += 1 # adds success
  76.    
  77. def recordSession():
  78.     # This function will record the session end time.
  79.     # If a session exists and this function gets called, it will
  80.     # then add the session end time to the stored information
  81.    
  82.     # NOTE: This could record wrong session time since several IP's can be logged on at the same time
  83.     if ip not in sshdInfo:
  84.         # We don't need to add logouts that's not apart of the attack
  85.         return
  86.    
  87. def writeReport(totalFailed):
  88.     # Writes a detailed report of the findings to a file
  89.    
  90.     successful = 0
  91.    
  92.     with open('sshd_analyzer_report', 'w') as f2:
  93.    
  94.         for k, v in sshdInfo.iteritems():
  95.             f2.write('\n\nAttacker IP: ' + k)
  96.             f2.write('\nStart time: ' + v[0])
  97.             f2.write('\nEnd time: ' + v[1])
  98.             f2.write('\nLogin attempts: ' + str(v[2]))
  99.            
  100.             if v[4] > 0:
  101.                 successful += 1
  102.                 f2.write('\nSuccessful attempts: ' + str(v[4]))
  103.                 f2.write('\nRatio: ' + str(v[4]/float(v[2])))
  104.                
  105.                 if len(v[3]) > 0:
  106.                     f2.write('\nCompromised account details:')
  107.                     count = 0
  108.                    
  109.                     while count < len(v[3]):
  110.                         f2.write('\n')
  111.                         f2.write(v[3][count] + ' : ' + v[3][count+1])
  112.                         count += 2
  113.                                            
  114.             totalFailed += v[2]
  115.            
  116.     print 'Total number of attackers: ' + str(len(sshdInfo))
  117.     print 'Total number of successful attackers: ' + str(successful)
  118.     print 'Total number of failed attackers: ' + str(len(sshdInfo) - successful)
  119.     print 'Number of failed login attempts: ' + str(totalFailed)
  120.    
  121. def main():
  122.     # Checks for failed and successful login attempts, rest is discarded
  123.     with open('sanitized_log/auth.log', 'r') as f:
  124.         for line in f:
  125.             if 'sshd' and 'Failed' in line:
  126.                 check(line)
  127.             elif 'sshd' and 'Accepted' in line:
  128.                 check(line)
  129.             elif 'session closed for user' in line:
  130.                 check(line)
  131.                                
  132. main()
  133. checkRatio()
  134. writeReport(totalFailed)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!