Shulou(Shulou.com)06/03 Report--

When we encounter SSH abnormal behavior, we usually choose to passively view and analyze the logs on the log server, so we are often unable to find suspicious IP abnormal behavior in real time. Here, we intelligently screen out suspected IP behavior through the analysis of IP platform on OSSIM platform.

Scene reproduction:

Recently, when Xiao Zhang was using a cloud server, he was patronized by Bitcoin Hacker and suffered heavy losses. After backing up the important data, the system was reinstalled, and soon the server hung up again.

In the subsequent investigation, Xiao Zhang found some clues in the server, and many unknown IP in the auth.log file tried to log in to the server through port 22 in the form of ssh username and password.

# grep "Failed password" / var/log/auth.log | awk'{print $11}'| sort | uniq-c | sort-nr | more

2990 Failed

2208 222.186.50.190

654 94.102.3.151

303 106.186.21.162

299 115.239.248.90

.........

.........

Through log analysis, it is very possible to SSH A t t a c k. Is there any way to find this kind of problem in the first place?

Next, we observe the network abnormal behavior alarm in real time through the OSSIM alarm platform.

Fig. 1 Visualization of network abnormal behavior

Click on an alarm aggregation message on a certain day in the bubble chart.

Figure 2 event aggregation

View detailed events

Figure 3 detailed log

View network information and IP geolocation information of hosts suspected of abnormal behavior

Fig. 4 IP positioning

Fig. 5 Alarm obtained from association analysis

The system provides a knowledge base of this event in each Alarm.

Figure 6 KDB information description

Follow the OSSIM official account and watch the video explanation.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.