########################################################################################## MISC-44: Analyse SSH Tarpit logs ########################################################################################## Issue Type: Task ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Done (2021-05-26 08:45:22) Project: Miscellaneous (MISC) Reported By: btasker Assigned To: btasker Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== A week or so ago I created a SSH tarpit in Golang - https://github.com/bentasker/Golang-SSH-Tarpit I've had that running on a public connection since, so it'd be interesting to analyse the logs and see what behaviour's observed. In particular - Do tarpitted clients all seem to have sane timeouts configured? - What country is the worst offender? - Any other interesting patterns? ----------------------------------------------------------------------------------------- Issue Relations ================ - Golang SSH Tarpit (Github) (https://github.com/bentasker/Golang-SSH-Tarpit) ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2021-01-12 11:58:09 btasker ----------------------------------------------------------------------------------------- Pulling out some basic info Extracting logs: -- BEGIN SNIPPET -- ben@PIHRP1:~ $ docker logs f6 > tarpit_log.log -- END SNIPPET -- Log start and end date -- BEGIN SNIPPET -- ben@PIHRP1:~ $ head -n2 tarpit_log.log | grep -o -P "2021/[0-9]+/[0-9]+" 2021/01/04 ben@PIHRP1:~ $ tail -n1 tarpit_log.log | grep -o -P "2021/[0-9]+/[0-9]+" 2021/01/12 -- END SNIPPET -- So that's 8 days How many entries? -- BEGIN SNIPPET -- ben@PIHRP1:~ $ grep Tarpitting tarpit_log.log | wc -l 14550 -- END SNIPPET -- So, on average, that's a rate of 1818 day / 76 hour going into the tarpit 5 shortest tarpit durations -- BEGIN SNIPPET -- ben@PIHRP1:~ $ cat tarpit_log.log | grep -o -P "[0-9]+ sec" | sort -nr | uniq | tail -n 5 5 sec 4 sec 3 sec 2 sec 1 sec -- END SNIPPET -- 5 longest -- BEGIN SNIPPET -- ben@PIHRP1:~ $ cat tarpit_log.log | grep -o -P "[0-9]+ sec" | sort -n | uniq | tail -n 5 38043 sec 38588 sec 38700 sec 40738 sec 41456 sec -- END SNIPPET -- 41456 seconds is just a little under 12 hours. Those figures, of course, ignore any connections currently still stuck in the tarpit. Lets see how many of those there are, and when they connected -- BEGIN SNIPPET -- ben@PIHRP1:~ $ for victim in `cat tarpit_log.log | grep Tarpitting | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\:[0-9]\{1,5\}'` > do > > grep "Coward disconnected: $victim" tarpit_log.log > /dev/null > if [ "$?" == "1" ] > then > # Disconnect not found > echo $victim > fi > > done 221.181.185.220:62081 221.131.165.119:63232 221.181.185.19:45169 221.181.185.135:28917 ben@PIHRP1:~ $ egrep -e '221.181.185.220:62081|221.131.165.119:63232|221.181.185.19:45169|221.181.185.135:28917' tarpit_log.log | grep -o -P "2021/[0-9]+/[0-9]+" 2021/01/12 2021/01/12 2021/01/12 2021/01/12 -- END SNIPPET -- How many unique IPs are there -- BEGIN SNIPPET -- ben@PIHRP1:~ $ grep Tarpit tarpit_log.log | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > ip_list.txt ben@PIHRP1:~ $ cat ip_list.txt | sort | uniq | wc -l 527 -- END SNIPPET -- How many distinct /16's? -- BEGIN SNIPPET -- ben@PIHRP1:~ $ cat ip_list.txt | sort | awk -F'.' -v OFS=. '{print $1,$2,"0.0/16"}' | uniq -c | wc -l 290 -- END SNIPPET -- What countries? -- BEGIN SNIPPET -- ben@PIHRP1:~ $ for ip in `cat ip_list.txt` > do > geoiplookup $ip | grep -o "[A-Z][A-Z]," > > > done | sort | uniq -c | sort -nr 3162 VN, 1619 CN, 1449 BR, 1428 IN, 1175 TH, 1011 ID, 436 RU, 426 GB, 404 US, 304 DE, 301 TR, 301 MY, 301 KZ, 301 AZ, 299 DO, 294 EG, 292 SA, 290 ZA, 284 BD, 165 GH, 124 BE, 22 SG, 22 NL, 17 JP, 13 FR, 6 CA, 5 IT, 5 BG, 4 KR, 4 HK, 4 AU, 3 MD, 2 VI, 2 UA, 2 SI, 2 SE, 2 SC, 2 GG, 1 RS, 1 PY, 1 MA, 1 LA, 1 HU, 1 GR, 1 ES, 1 EC, -- END SNIPPET -- So, Vietnam is _by far_ the worst offender. ----------------------------------------------------------------------------------------- 2021-01-12 12:14:08 btasker ----------------------------------------------------------------------------------------- So, interesting question: We've seen that there are bots out there that don't have client-side timeouts configured, and get stuck in the tarpit for quite a while. We've also seen that the majority of tarpitted clients geolocate to Vietnam, but - is that true for the majority of poorly configured clients? Taking a sample of the 1000 longest tarpits. The shortest/longest tarpit duration was -- BEGIN SNIPPET -- ben@PIHRP1:~ $ grep Coward tarpit_log.log | sort -n -k 6 | tail -n 1000 | head -n1 | grep -o -P "[0-9]+ sec" 3085 sec ben@PIHRP1:~ $ grep Coward tarpit_log.log | sort -n -k 6 | tail -n 1000 | tail -n1 | grep -o -P "[0-9]+ sec" 41456 sec -- END SNIPPET -- Country distribution: -- BEGIN SNIPPET -- for ip in `grep Coward tarpit_log.log | sort -n -k 6 | tail -n 1000 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ` do geoiplookup $ip | grep -o "[A-Z][A-Z]," done | sort | uniq -c | sort -nr 1000 CN, -- END SNIPPET -- Ok, what if we switch it around to be anything longer than 60s? -- BEGIN SNIPPET -- for ip in `grep Coward tarpit_log.log | awk -F' ' '{if ($6 > 60) print $0}' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ` do geoiplookup $ip | grep -o "[A-Z][A-Z]," done | sort | uniq -c | sort -nr 1548 CN, 26 TH, 22 US, 20 RU, 17 VN, 15 EG, 7 BR, 6 BD, 2 ID, 1 ZA, 1 TR, 1 BG, -- END SNIPPET -- The share of connections from VN is still tiny. Much the same if we adjust down to 20s -- BEGIN SNIPPET -- ben@PIHRP1:~ $ for ip in `grep Coward tarpit_log.log | awk -F' ' '{if ($6 > 20) print $0}' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' `; do geoiplookup $ip | grep -o "[A-Z][A-Z]," ; done | sort | uniq -c | sort -nr 1570 CN, 69 RU, 50 VN, 41 US, 35 TH, 28 BR, 23 EG, 19 BD, 17 ID, 10 IN, 7 GB, 6 DO, 3 TR, 3 AZ, 2 ZA, 2 MY, 2 KZ, 2 GH, 1 SG, 1 SE, 1 SC, 1 SA, 1 RS, 1 MA, 1 ES, 1 DE, 1 BG, 1 BE, -- END SNIPPET -- So, based on this (admittedly, relatively small) sample: - You're most likely to see connections from Vietnam - However, if the client is poorly configured it's statistically more likely to originate from China than Vietnam ----------------------------------------------------------------------------------------- 2021-05-26 08:45:22 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'Resolved' ----------------------------------------------------------------------------------------- 2021-05-26 08:45:22 ----------------------------------------------------------------------------------------- btasker added 'Done' to resolution ----------------------------------------------------------------------------------------- 2021-05-26 08:45:29 ----------------------------------------------------------------------------------------- btasker changed status from 'Resolved' to 'Closed'