On June 4th 2005, C.J. Steele, CISSP wrote: > Inspired by a post to the SANS Intrusions list, I have written `tattle` > to automate the reporting of SSH brute-force attacks. > > `tattle` is a perl script that crawls through your sshd logs > (/var/log/messages, or wherever you tell it to look) and finds hosts > who've connected to your SSH server. All hosts who connect to your > box, and that are not accounted for in the exception list, are reported > to the point-of-contact for the domain the host is registered too > (where available.) Long story-short, if you stick `tattle` in your > cron-tab, you can automate the reporting of ssh brute-force attacks. Well meant, but the implementation raises a few important issues: -"my $whois = `/usr/bin/whois $tld`;" isn't really secure and literally cries for some exploit. There are enough perl modules to resolve this issue, e.g. Net::Whois or Net::XWhois -the reverse dns isn't verified by a lookup on forward dns. So if an attacker has control over his reverse dns (popular problem with hosting companies of dedicated servers), he can easily spoof the reverse dns in order to point to a completely unrelated company (who are likely to ignore your reports). Whois on the IP adress is likely to give you a much better information on whom to notify about abuse, as that way you'll usually notify the abuser's ISP instead of possibly the abusing user himself. -getemails() literally grabs =any= email adress returned from the domains whois-records. Whois records often do list much more than the merely the adress for reporting abuse like e.g. the domain's registrar, an adress for billing contact of the domain and sometimes even the list of users who changed this records's whois data. So from my point of view, the script is simply spewing abuse reports to much more than the right people (and probably even not the right ones). Some people believe this to be a fair way, but always keep in mind that the abuser's ISP is not your enemy, increasing their workload by sending them the same complaint multiple times and offending them by spamming abuse reports to unrelated staff is not likely to increase the chances of well-done LARTs. The two later issues can be easily solved by querying the whois service at whois.cyberabuse.org using the IP adress of the offender. cyberabuse.org does take quite a lot of efforts in order to give you (only) the correct email adress to report abuse to, regardless of the IP-assigning registry and their individual whois output. Regards, Anders -- Schlund + Partner AG Security Brauerstrasse 48 v://49.721.91374.50 D-76135 Karlsruhe f://49.721.91374.225
