Приветствую, уважаемый читатель!
Думаю всем очевидно, что угрозы подбора логина и пароля к какому-либо сервису в сети Интернет будут с нами пока в принципе есть пароли как аутентификатор. И пока они с нами, поизучать активность злоумышленников часто бывает полезно. Некоторые измышления на примере SSH ниже).
Имеем VDS с белым IP-адресом, который мне нужен для организации VPN. На нём развернут SSH-сервер для управления, который пишет события попыток доступа в лог - /var/log/auth.log.
События из данного лог-файла можно изучать скриптами, но я закинул его как file input в splunk. Там сложного ничего нет, splunk хорошо понимает timestamp и linebreaker.
Различные логины для брута (специфика страны)
Не секрет, что в каждой стране пользователи используют разные логины для доступа в сервисы, соответственно, можно предположить и брутить злоумышленник будет по словарику, характерному для страны происхождения, или по словарикам опубликованным на гитхабе или встроенным в инструменты нападения. Но всегда хочется проверить самостоятельно)
Посмотреть из какой страны под какими УЗ брутят SSH можно таким запросом:
| rex field=_raw "for\s(?<User>.{3,40})\sfrom" | rex mode=sed field=User "s/invalid\suser\s//"
| rex field=_raw "from\s(?<IP>.{8,16})\sport"
| rex field=_raw "port\s(?<portNumber>\d+)\s"
| iplocation IP
| stats values(User) as User,values(IP) as IP, count by Country
К чему всё это, посмотрев несколько недель под каким УЗ меня брутили, настоятельно не рекомендую использовать для доступа к SSH имена учётных записей из списка ниже)
0
1
100
1111
1234
12345
123456
A
ADMIN
Abigail
Admin
Administrator
Apps
Guest
PlcmSpIp
RPM
Sujan
a
a1
aaahmed
abas
abe
abel
abi
aboubacar
ac
accademia
access
account
acct
achang
adama
adiaz
adm
adman
admin
admin01
admin02
admin1
admin123
admin4
admin9
admini
administrator
administrator1
adminj
adminvps
admire
ads
afc
afterm
aggervn
agnes
ahadrashidi
ahmet
ai
aida1
akarma
akbarsalehi
akiwifi
alarm
alberto
ale
aleo
aleon
aleonode
alex
alexandra
algorand
ali
alienman
all
allen
alok
alumni
alvaro
amar
amd-2
aminaa
amit
ampch
amsftp
andishemodiran
andrea
android
andy
angel
angular
anita
ankur
anonymous
ansible
ansibleuser
anthony
antonieta
anusha
anvel
apache2
api_user
appserver
appuser
ardor
aretano
ari
arif
armen
armin
arnaldo
arpg
arqaam
array
artem
artjoint
arun
as
ashrafkhanzadeh
ashwin
asoung
atl
atlbitbucket
attempts
augustus
autrede
avalanche
avie
ayut
azureuser
b2auser
backend
backup
backups
baichb
bak
bandit
bao
barbara
basilmike
bbbian
bbc
bc
bear
bekker
bew
bhsu
bi
biel
billing
bin
bing
biscui
bitnami
biz
bla
blank
blue
bo
bojan
borhan
bot
bot1
bp
bpro
brandon
brian
brianpm
btf
bti
btrx
busby
bxu
cab
cagri
cailine
caishiyu
caixa
caizhongbin
caoshuyuan
capev
car
cardano
carioca_umu
carlita
carlos
caron
cartao
casen
casino
cat
catadmin
centos
central
ceo
ceph
cg
changizi
charan
chef
chencf
chenggf
chenhui
chenjing
chief
chinjl
chrome
chs
cid
cisco
clamav
clarice
client
client001
client005
clients
cmolina
cmspliuliangLN
cmspwebtest
cocaine
coin
comfort
compiler
computer1
computerbranche
config
copias
cora
couchdb
cp
cpa
cpcdata
cpl
crc
cri
cronos
crypto
cs
csadmin
csgoserver
ct
cu
cubat
cubrid
cun
curtis
curve-dao-token
cvsuser
cwaltman
cwh
cxc
cxj
cy
cyrus
czech
daemon
dambrosio
dang
daniel
dante
dap-elbrus
darren
data
dautsula
dave
daveo
david
dax
db
db2user
dbadmin
dbseller
dbuzz
dd
ddd
deamon
deamon_root
debian
debianuser
decred
deer
default
del
delegate
dell
demo
denise
deploy
deployer
dev
develop
developer
devopsuser
deysi
dg
dgd
dh
dhis
dhkim
dhm
diag
dicky
didi
diego
dietpi
digital
dimaio
dingy
dirsrv
dist
dj
djkim
dlwsadmin
dmtsai
docker
dockeruser
dogecoin
donald
donato
dongsheng
dongwei
dorian
dpadmin
draco
dragon
dropbox
dspace
dst
dubaohua
duggan
dusl
dusx
dyk
eacsaci
easy
ebrahim
ebruayvaz
ec2-user
echo
ecristobal
eda
edge
edith
edward
ego
ehsanj
elastic
elasticsearch
eldin
elearning
elemental
elicenzi
elisabetta
elk
elrond-egld
elsearch
elvina
emanuela
energyweb
env
ercico
erp
es
escoline
esko
esroot
essi
estest
eth
ether
ethereum
evan
evillarraga
exporting
extension
extern
fabi
fan
fanjian
fanqz
fanslau
fantom
farid
faruk
fast
faxserver
fbl
fe5ced
felicidad
fengyingchao
fengyun
ff
fiedler
fieke
filecoin
firefart
fish
flavia
florida
flow
fmc
fmt
francisco
frappe
free
frontend
ftp
ftp1
ftp_dsware
ftpdata
ftptest
ftpuser
ftpuser1
ftpuser3
ftpusers
ftpusr
fuq
fw
fwj
fwupd-refresh
fwupgrade
fy
fz
g
g_word
ga
gabriella
gaitan
games
gandalf
gandw
gaoj
gbawebse
genovese
george
gestion
ghhessam
ghost
giorgio
giovanna
giri
git
gitlab
gj
gmodserver
gnome
gogitselfhostedgitea
goonbook
gpj
gpu
gpu02
grichardson
grosset
group_zl
groupa
gtp
guacapi
guangzhi
guest
guest1
gui
guilloux
guoyichen
guozhengyan
gustavo
guyan
gwei
gyli
gzy
hacluster
hadoop
hajar
haldaemon
hamed
hamidreza
handilive
hangs
hanxy
haoran
haotian
hari
hassanv
hata
have
hc
hdg
hdoop
he
hedieh
helen
helium
hello
hellopython
heshuai36
heydar
heyuhong
hg
hisense
hjf
hl2rp
honda
horan
hpy
hrr
hsi
hssuser
htest
hts
http
httpadmin
huangjian
huanglu
huangyue
hubble
humza
hunanzi
hung
huwanfeng
huxiao
huyan
hw230f8034t
hyper
iamsiiitttaaa
icecast
icon
iexcel_wuhan
igor
ii
iman
imm
informix
ins
inside
installer
instrument
integration
intel
internal
intrusionalerts
iot
ira
ircd
isa
isimumbai
itadmin
iuwe
iwakabe
jacekk
jacey
jack
jacques
jade
james
janifer
japan
japon
jaskowska
jayanthi
jboss
jc
jean
jenkins
jens
jfmas
jiajianbang
jian1412
jiangpeiqi
jim
jisu
jj
jk
jm
jo
joe
joevnc
jojo
jonah
jones
josiflala
jsyoo
jtorre
julius
junjie
jxtest
kafka
kaisar
kamal
kamiab
katrien
kdcproxy
kdeepak
kdf
kds
keke
kevin
keyred
khd
kids
killer
kimiaseifi
kipt
knu
kobo
kodiak
koha
kolton
kop
kras
krtin
kserge
ksn
kusama
kxr
kyivstar
lab
lambda
lambert
lanlizhen
laura
lawfirm
layout3
lbj
lcosta
ld
leon
leslie
lfy
lh
lhxh
liangdw
liangzizhong
liberte
librenms
licc
licy
lidersoft
lighthouse
lijiaming
lijianling
lili
lilingling
limingzhu
linuxuser
liquidity
lisa
lishuai
litecoin
litiantian
liuguangce
liumf
liuyiwei
liuyunhe
liy
liyuanchao
llh
lm
locales
loginuser
logz
longyanxin
loose
lotus
low
loyal
lqf
luchenxi
lulin
luoqi
lvlreza
lvm
ly2021
lyy
lzarate
lzn
maeko
mafi
mahmodi
mahmoud
mailer
mailtest
maint
maintain
malibros
mama
manager
mara
maral
mariusz
mariza
marvin
masa
master
mati
matichosting
matrix
maureen
maxadmin
may
mbb
mdpsc
mdspwf
mehdideli
mehrdadbaha
mehul
meike
mendez
merasska
mfaraghat
mgallinelli
mglee
mh
miao
michaela
migliozzi
mike
mikhail
mikhmon
milad
milcar
mindmedia
minecraft
mitani
mj
mjoyce
ml
mne
mng
mobile
mofidi
mohammad
mohammadmosleh
mohans
mongo
mongodb
monitor
monsterkid
morut
mosprop2
mostafa
mpas
mrodriguez
mssql
mtriton
mujtaba
mukul
muratsefa
my
mysql
mysqladmin
mysqluser
mytest
mzr
na
nacho
nagios
namz1
nancy
nandan
narges
nasheetha
nasrin
naveen
navneesh
nazaninafshin
nazri
near
net
netbox
network3
nic
nijhum
nikolay
nishant
niuniuqi
nobody
node
nodeoperator
noelle
nono
noshad
nova
ns
nutanix
nvidia
nx
nxt
observer
odoo
office
ohh
oldboy
oliver
omar
omc
omm
oms
omsagent
on
onlime_r
online
onnuri
ono
opc
open
openelec
opengrok
operator
options
ora
oracle
oradi
orangepi
osinnikita
outils
ovh
oz
ozaki
pa
paco
palm
palsania
panda
pang
parser
parvizabbasi
pat
patrick1
paul
pbsdata
pc
peachy
pedro
peer
pelisa
penghp
pentaho
peuser
pf
pi
pickard
pilotuser
pion
pivpn
plcmspip
pls
pnlp
polkadot
polygon
postgres
postgres3
postgres4
posto
powerhub
prev08
prn
proceso
prueba
public
pupperto
pz
pzserver
qatar
qcluster
qf
qinql
qiyuesuo
qk
qmjiang
qqq
qsj
qtadmin
quant
qvt
r00t
rabbitmq
race
ragionieri
rain
raisa
rakesh
raspberrypi
ravencoin
ravi2
rcy
readarr
rec
record
registry
reloj
rene
resol
reyes
reza
richard
ritc
rmsadm
rn
rock
rocky
root
rossana
roy
rozhan
rpm
rsync
rtato
rubino
sOl
sadetelha
saeedfakhrzadeh
saeedkhan
saeednazer
sahmeddinima
sakhtar
sakshi
sakura
salar
samaneh
samba
sammy
samriddha
sara
sbserver
sc
scan
scm
sdadmin
sean
sebas
secret
secure
seekcy
seitazeri
selvino
server
service
sesuser
sevtech
sfarni
sftp1
sftpuser
sgi
shafane
shahab
shahzad
shan
shared
sharp
sheny
shill
shiny
shivani
shiyi
shree
shun
shuo
sicondolfi
sinusbot
sky
smile
smpadmin
snark
snarkOS
snarkos
snetwork
so
soL
sofia
sol
solana
solr
solrcloud
solutec
sonar
soniar
sophia
soporte
sopuser
speakin
splunk
squid
sr
sridhar
srjung
srl
srojas
sshadmin
sshd
sshtunnel
sshuser
sshusr
staff
staging
stanula
steam
stefano
stellar
stephanie
stlq
storage
story
stratis
student01
student1
su
su01
subrina
subzero
sucheta
sugon
suits
sunhx
super
superasc
superstar
supervisor
suporte
support
suser
suvirtha
svnuser
sxr
sy
sybase
sync
syscoin
system
szq
t
t128
taiko
tangchang
tanglv
tars
tata
team
teamspeak
teamspeak1
tebe
telebu
telegram
telegramapi
telnet
terra
tess
test
test1
test2
test8
teste
teste1
tester
testing
testtest
testuser
testuser2
tezos
tf
tfsc
tg
themis
tianruigu
tianyun
tin
tito
tjise
tl
tmpuser
toby
tom
tomcat
tomomoto
toncoin
toor
tp
traccar
trade-bot
tradebot
training
tron
ts33
tshirt
tsubame
tttest
ttx
tu
tubokids
tunnel
tuser
tutorial
tvtest
ub
ubnt
ubuntu
ubuntuserver
uc
uftp
ui
ulises
undernet
universal
unknown
unreal
unturned
user
user-backup
user0
user002
user01
user013
user1
user10
user2
user22
user24
user3
user7
userftp
username
uskinc
usuario
uucp
uyt
v
vagrant
valentin
vali
validate
validator
varun
vasadmin
vasya
vboxadmin
vechain
vhserver3
view
viglis
vincent1
vinod
viper
virtualbox
visitor
vita
vnc
vncuser
voltoci
vpn
vpnuser
vps
vs
vvvv
vyatta
vyos
vyuser
w
wallet
wang
wangbo
wangchaojie
wangchen
wanghongy
wanght
wangjing
wangke
wangsheng
wangwen379
wangyongxin
wangyuqing
wankarcs
warango
was
wave
waves
wbtc
wcm
wd
web
web3
webalizer
webmaster
webmaster2
wendi
wendie
wengxin
wenmingli
whee
will
wim
wireguard
wjfang
wlei
work
worker
wq
wu
www-data
www-user
wx
wyd
wzy
x
xd
xh
xiahaifeng
xiaogang
xiesijie
xjcc
xml
xnode
xray
xrp
xt
xtest
xuhj
xutest
xuwei
xuyan
xw
xyz
yang
yanghao
yangji
yangjuan
yangxu
yangyf
yangzhi
yanmaframe
yaohl
yarn
ybh
ydy
yg
yicong
yizhao
ymadmin
yousof
youssef
yqk
yqli
yrl
yten
yujm
yuz
yyjiang
za
zabbix
zdb
zentao
zhafx
zhaibin
zhangcb
zhangfei
zhanghl
zhangqinyuan
zhangxi
zhangxu
zhangyansen
zhangzt9
zhaomei
zhaon
zhhh
zhoujun
zhouweiyu
zhouxin
zhu
zhuhao
zhuyq
zhwj
zichan
zimbra
zjj
zjq
zmj
zo
zoadmin
zolghadrian
zookeeper
zr
zuoye
zy
Комментариев нет:
Отправить комментарий