The problem
If you have a computer on the internet it's just a fact of life that your system is being pounded constantly by people trying to login. So, what accounts do they go after?
To solve this problem, we need a script to gather information.
#!/bin/sh
tfile="acct.csv"
echo "ACCT" > $tfile
for log in /var/log/btmp*
do
lastb -w -f $log | head -n -2 | awk '{ printf "%s\n", $1 }' >> $tfile
done
tfile="acct.csv"
echo "ACCT" > $tfile
for log in /var/log/btmp*
do
lastb -w -f $log | head -n -2 | awk '{ printf "%s\n", $1 }' >> $tfile
done
Save it and run it as root.
[root@webserver]# vi get-acct
[root@webserver]# chmod +x ./get-acct
[root@webserver]# ./get-acct
[root@webserver]# wc -l acct.csv
942453 acct.csv
[root@webserver]# chmod +x ./get-acct
[root@webserver]# ./get-acct
[root@webserver]# wc -l acct.csv
942453 acct.csv
OK. So, let's pull this into RStudio for some analysis. What we want to do is see what the most often used accounts are. Let's run the following script:
library(dplyr)
a <- read.csv("~/R/audit-data/acct.csv", header=TRUE)
a$one <- rep(1,nrow(a))
acct <- aggregate(a$one, by=list(a$ACCT), FUN=length)
colnames(acct) = c("acct", "tries")
account <- arrange(acct, desc(tries))
a <- read.csv("~/R/audit-data/acct.csv", header=TRUE)
a$one <- rep(1,nrow(a))
acct <- aggregate(a$one, by=list(a$ACCT), FUN=length)
colnames(acct) = c("acct", "tries")
account <- arrange(acct, desc(tries))
Run it. Now let's see what the 50 most popular accounts are:
> head(account, n=50)
acct tries
1 root 866755
2 support 10315
3 admin 7856
4 user 1904
5 ubnt 1469
6 a 1436
7 test 1324
8 guest 966
9 postgres 525
10 pi 496
11 oracle 463
12 ftpuser 425
13 service 369
14 nagios 314
15 monitor 287
16 administrator 246
17 backup 240
18 git 213
19 teamspeak 212
20 sshd 193
21 manager 184
22 minecraft 180
23 ftp 179
24 super 169
25 student 168
26 ubuntu 166
27 tomcat 160
28 ADMIN 158
29 zabbix 158
30 ts3 154
31 testuser 152
32 uucp 150
33 adm 145
34 operator 144
35 PlcmSpIp 144
36 alex 140
37 teamspeak3 140
38 client 138
39 default 138
40 info 126
41 telnet 126
42 www 124
43 hadoop 123
44 upload 120
45 fax 118
46 ts 118
47 webmaster 118
48 richard 112
49 debian 110
50 informix 110
acct tries
1 root 866755
2 support 10315
3 admin 7856
4 user 1904
5 ubnt 1469
6 a 1436
7 test 1324
8 guest 966
9 postgres 525
10 pi 496
11 oracle 463
12 ftpuser 425
13 service 369
14 nagios 314
15 monitor 287
16 administrator 246
17 backup 240
18 git 213
19 teamspeak 212
20 sshd 193
21 manager 184
22 minecraft 180
23 ftp 179
24 super 169
25 student 168
26 ubuntu 166
27 tomcat 160
28 ADMIN 158
29 zabbix 158
30 ts3 154
31 testuser 152
32 uucp 150
33 adm 145
34 operator 144
35 PlcmSpIp 144
36 alex 140
37 teamspeak3 140
38 client 138
39 default 138
40 info 126
41 telnet 126
42 www 124
43 hadoop 123
44 upload 120
45 fax 118
46 ts 118
47 webmaster 118
48 richard 112
49 debian 110
50 informix 110
So, what does this mean?
1) Do not allow root logins. Ever. Period.
2) Do not make an account based on a job function
3) Do not make an account based on a service name
4) Make sure all service accounts cannot be logged into
5) Do not make an account based on your first name
So, how can we check for active accounts on the system? First, let's make sure everything uses shadowed passwords:
# awk -F: '$2 != "x" { print $1 }' < /etc/passwd
Any problems here should be fixed. Next we can check which accounts are active:
# egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{ print $1 }'
If you see any services listed or simple names and the system is hooked up to the internet 24x7, you might want to look into it. If you use two factor authentication or keys, then you are also likely in good shape.
The real point of this was to show you how to check what accounts are getting hammered the hardest by people trying to get in.
No comments:
Post a Comment