[LINUX] See trends in SSH attacks on Splunk

It was a really 2020 year. There is no banquet at all. The year-end party is usually a hot pot course. I'm tired of my legs in the tatami mat room, and the pot is made, and it's mostly Chinese cabbage in a hard bowl. Enoki mushrooms. And meat. And the last is Ojiya. Put an egg in it ~? No, it's fluffy with eggs on the udon course! What another pattern! -I thought. Until last year. It's gone, and on the contrary, I miss the hot pot party in the department. I want to get excited while making silly jokes with my friends, and I want to go to karaoke as it is when I get drunk and laugh at the employees who are getting crazy.

During the year-end and New Year holidays, various things will appear on the server when crackers earn money (maybe it was). I heard that AWS will poke with haste as soon as you set up a server with EC2. EC2 yum update hits with haste for the time being.

So, there are footprints in the security log, but I wondered what the popularity is now, and suddenly I came up with a lookup. Access the server communication using a number. Nos. 22, 53, 80 and 443 are famous, but other than that, I have no energy to remember.

So I will try to match with Splunk.

First, extract the port number from the log with "Extract field" and register it. キャプチャ1.PNG

Next, make a list of port numbers into a CSV file. I hope it's somewhere, but for the time being, I just copied and pasted the Wikipedia list into Excel. Ah, but the explanation of the port I was expecting was still in English after 100. It's also frustrating to translate (laughs) Should the popular number 3389 be in Japanese? The first row of Excel is the first column, the port number is port, the outline of the second column name is description, make a table, delete the other columns, and save it in UTF-8 CSV. I really wish I could translate it into Japanese here. (Is it somewhere?)

https://ja.wikipedia.org/wiki/TCP%E3%82%84UDP%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8B%E3%83%9D%E3%83%BC%E3%83%88%E7%95%AA%E5%8F%B7%E3%81%AE%E4%B8%80%E8%A6%A7

Then select Lookup from the Splunk settings and populate the CSV file into Splunk. Behind the scenes of Splunk, it's actually stored in the DB.

キャプチャ3.PNG

Then go back to the lookup and define the lookup. It is a setting to teach Splunk the CSV file. The uploaded CSV file name will appear in the pull-down menu. The Name and file name should be the same.

キャプチャ4.PNG

Now, read the CSV file inside with Splunk's search statement.

|inputlookup portnumber.csv Search with!

Hmm? ?? Does not appear.

The recent Splunk default is within 24 hours, isn't it? It's too late to lick it all the time. However, it is troublesome to specify the date and time, so I will set it to all hours. Change it in the basic search settings in the server settings of the settings. キャプチャ2.PNG

キャプチャ5.PNG

Ah, I want to make it all in Japanese .....

You can search by entering a command here, but I want to put the items of the CSV file in the field and make it fully automatic, so I will return to lookup again and set the automatic lookup setting. For the source type, enter the source type name to be searched.

キャプチャ6.PNG

The left side of = in the field is CSV, and the right side is the field name used in Splunk. Data (description) that is not written in the original server log can also be searched in the field. (This is my favorite part of lookup!) It seems that it can also be used for error numbers in application logs!

Once you've defined it, you'll see the setsumei on the right you defined earlier in the field additions!

キャプチャ8.PNG

If you check this □, you will be promoted to the above example, and it will appear in the field name! All you have to do is search! !!

sourcetype=secure | top limit=20 setsumei | table count setsumei

キャプチャ9.PNG

What is it? RedSeal ??? If you modify the table action here, you can skip it to the search engine as it is ....

So you can see the popular ports that are poked by SSH. (Of course, the source IP is also included!)

This protects the server during the year-end and New Year holidays ...           No, it's not. I talked to an employee today, but in the teleworking era, I think I would work regardless of vacation. Overseas, I take a week off before and after Christmas, take a rest only on New Year's Day, and work normally for two days. That's why I think I'm attacking normally for fear of being discovered these days. On the blog of a security-related company, the attack stops at 17:00 with a time difference of 1 hour in Japan, so the western country works at 9:05, and the attacks will be less during the Chinese New Year, so attack like a salaryman. You may be working as a job.

And since telework does not pass through the company's security equipment, my home is a honey apartment (laughs) https://blog.macnica.net/blog/2020/07/honey-mansion.html If it's sloppy, that may be the aim. After all, the bathroom is a server room (laughs) http://tomeapp.jp/archives/2205

There was also an attack on the wireless LAN router in the news. I pray that the receipts for the hotel party at the lecture will not be leaked while working from home.

Happy Splunking!

Recommended Posts

See trends in SSH attacks on Splunk
Introducing sites where you can see trends in the 2019 framework