A day in the life…

The last couple of days, it seems there’s some kind of ssh botnet trying to spread out. Since I installed DenyHosts some weeks ago, I usually got 5-10 notifications of blocked IP addresses. Last weekend however, I got more than 200 notifications. 

Although I feel rather safe having installed DenyHosts (which I urge you to install on every SSH accessible server), as a lot of hosts out there aren’t protected, I fear a new botnet is in the making.

Clearly, someone thinks I need to get more junk in my mailbox. Let me tell you though, 1400 spam mails a day is enough already…

That’s why I wrote a very rudimentary script that hooks into DenyHosts and queries a whois server for an abuse email and sends it an email when found.

Update:
I didn’t notice the difference between the PLUGIN_DENY setting and the mail behaviour of DenyHosts.
By default, DenyHost will send you an email everytime it adds a new host to /etc/hosts.deny, whereas the PLUGIN_DENY script will be invoked every time it adds or readds a host to /etc/hosts.deny. That’s why I now first grep a file with hosts whose hostmaster I already notified of the abuse

The script is ridiculously easy:

#!/bin/bash

# Get parameter
IP=$1

# Check whether we've already seen this host.
if `grep $IP /var/lib/denyhosts/notified_abuse > /dev/null` ;
then
        echo host already seen
        exit
else
        echo new host, added to logfile
        echo "`date` $IP" >> /var/lib/denyhosts/notified_abuse
fi

# Try to lookup the abuse mailbox
abuse=`whois $IP|grep ^abuse-mailbox:| tail -n 1 |sed -e "s/abuse-mailbox: //"`

# if found an abuse mailbox, send a mail.
if [ "x$abuse" != "x" ];
then
cat << EOF | mail -a "From: Pieter Barrezeele <xxxxxx@xxxxxxxxxx.be>" -s "SSH brute force attack from $IP" $abuse

Dear Sir/Madam,

Today we experienced an SSH brute force attack originating
from $IP, a host under your responsibility. This probably means
the host in question is compromised.
Please take action to stop this host from attacking us again.

Thanks in advance,
Pieter Barrezeele

PS: this is an automated mail, any errors in this mail are caused by parsing errors.
EOF
fi

 
I’d advise you to send the mails to yourself for a few days until you see only new hosts are added. Alternatively, you could copy the contents of /etc/hosts.deny into /var/lib/denyhosts/notified_abuse as well.

Last weekend the Iris festivities took place in Brussels. One of the headliner acts were performances by Daan and Ozark Henry. Of course I couldn’t miss out on that last one. We arrived just in time to enjoy Housewife, one of Daan’s latest and greatest songs after which it was Piet Goddaer’s turn to entertain the masses arrived at the Paleizenplein just in front of the royal palace.

As usual, this concert was a nice mix of his recent work as well some of his older hits, including “Sweet Instigator”, “Word up”, “Rescue” and even “Inhaling”.

To conclude, I’d like to say: “Merci, Piet!”