| 
 (Fedora:
Lesson 19){ Testing 
denyhosts and brutessh.py } 
 
			
				| Section 0. 
				Background Information |  
	What is denyhosts
		DenyHosts is a log-based intrusion 
		prevention security tool for SSH servers written in Python. It is 
		intended to prevent brute force attacks on SSH servers by monitoring 
		invalid login attempts in the authentication log and blocking the 
		originating IP addresses.
		
		http://denyhosts.sourceforge.net/What is brutessh.py
		Brutessh is a program that uses the 
		paramiko ssh library, to launch bruteforce passwords attacks to the sshd 
		service. The tools is multithreading and uses a dictionary for the 
		passwords. 
Prerequisite
	Lab Notes
		In this lab we will how to do the following:
			We will install brutessh.py on 
			BackTrack.We will use brutessh on BackTrack to 
			attack Fedora.Fedora will block BackTrackWe will unblock BackTrack 
Legal Disclaimer
		As a condition of your use of this Web 
		site, you warrant to computersecuritystudent.com that you will not use 
		this Web site for any purpose that is unlawful or 
		that is prohibited by these terms, conditions, and notices.In accordance with UCC § 2-316, this 
		product is provided with "no warranties, either express or implied." The 
		information contained is provided "as-is", with "no guarantee of 
		merchantability."In addition, this is a teaching website 
		that does not condone malicious behavior of 
		any kind.You are on notice, that continuing 
		and/or using this lab outside your "own" test environment
		is considered malicious and is against the law.© 2013 No content replication of any 
		kind is allowed without express written permission.   
	
		| Section 1: Edit the Fedora14 Virtual Machine |  
	Open Your VMware Player
		Instructions:
			On Your Host Computer, Go ToStart --> All Program --> VMWare --> 
			VMWare PlayerEdit Fedora 14 Virtual Machine Settings
		Instructions:
			Highlight Fedora14Click Edit virtual machine settings  Edit Network Adapter
			
				Instructions:
					Highlight Network AdapterSelect BridgedClick the OK Button   
	
		| Section 2: Play the Fedora14 Virtual Machine |  
	Start the Fedora14 VM
		Instructions:
			Click on the Fedora14 VMClick on Play virtual machine   
	
		| Section 3: Login to your Fedora14 server: |  
	Login As student
		Instructions:
			Click on studentProvide student passwordClick the Login ButtonStart Up A Terminal.
	
		Applications --> System Tools --> Terminal  Switch User to root 
	
		Instruction:
			su - rootSupply the Root Password  Get IP Address
		Instructions:
			ifconfig -aNotes (FYI):
			As indicated below, my IP address is 
			192.168.1.105.Please record your IP address.   
	
		| Section 4: Configure BackTrack Virtual Machine Settings |  
	Edit the BackTrack5R1 VM
	
		Instructions:
		
		
			Select BackTrack5R1 VMClick Edit virtual machine settings  Edit Virtual Machine Settings
	
		Instructions: 
		
			Click on Network Adapter Click on the Bridged Radio button 
			Click on the OK Button   
	
		| Section 5: Play and Login to BackTrack |  
	Play the BackTrack5R1 VM
	
		Instructions:
		
		
			Click on the BackTrack5R1 VMClick on Play virtual machine  Login to BackTrack
	
		Instructions: 
		
			Login: root Password: toor or <whatever you changed 
			it to>.    Bring up the GNOME
	
		Instructions: 
		
			Type startx    
	
		| Section 6: Open Console Terminal and Retrieve IP Address |  
	Start up a terminal window
	(On 
	BackTrack5R1)
		Instructions: 
		
			Click on the Terminal Window 
			  Obtain the IP Address
	
		Instructions: 
		
			ifconfig -a Note(FYI): 
		
			My IP address 192.168.1.106. 
			In your case, it will probably be 
			different. This is the machine that will be use to 
			attack the victim machine (Mutillidae).    
			
				| Section 7: Test SSH 
				Between BackTrack and Fedora |  
	Test SSH from Backtrack to Fedora (On 
	BackTrack5R1)
		Instructions:
			ssh
			student@192.168.1.105 
			"uptime"
				If you do not have a student 
				account on Fedora, replace it with the system account you create 
				in Lab 1.connecting (yes/no)? yesProvide PasswordNote(FYI):
			Replace
			
			192.168.1.105 with Fedora's IP Address obtained from (Section 
			3, Step 4).   
			
				| Section 8: Inspect Fedora's 
				Security Log |  
	Check Fedora's secure log (On 
	Fedora14)
		Note(FYI):
			Replace
			
			192.168.1.106 with BackTracks's IP Address obtained from 
			(Section 6, Step 2).Instructions:
			grep "Accepted password" /var/log/secure 
			| grep "192.168.1.106"   
			
				| Section 9: Install 
				and run BruteSSH.py against Fedora |  
	Search for BruteSSH.py (On 
	BackTrack5R1)
		Note(FYI):
			Issue the below commands from the 
			BackTrack Terminal.
			IF 
			BRUTESSH IS ALREADY INSTALLED, THEN CONTINUE TO SECTION 10.Instructions:
			cd /pentest/passwords/
				In BackTrack, the password cracking 
				programs are typically located in this directory.ls -lls -l | grep -i brute | wc -l
				ls -l, list all the files and 
				directories under the directory /pentest/passwords.grep -i brute, return only listings 
				that contain the string "brute"wc -l, count anything that is returned.Notice a zero(0) is return, which 
				infers BruteSSH is not installed.  Download, Unzip and Untar brutessh-0.5.tar.bz2
		Instructions:
			wget http://www.computersecuritystudent.com/UNIX/UBUNTU/1204/lesson13/brutessh-0.5.tar.bz2ls -l brutessh-0.5.tar.bz2bunzip2 brutessh-0.5.tar.bz2ls -l brutessh-0.5.tartar xovf brutessh-0.5.tar  BruteSSH House Cleaning
		Instructions:
			ls -l brutessh-0.5.tarrm brutessh-0.5.tar
				We no longer need the tar file.cd brutessh/ls -lacat /pentest/passwords/john/password.lst 
			| grep -v "^#" | head -50 > password.txt
				I grabbed the first 50 passwords 
				from John the Ripper to create enough future brute force ssh 
				traffic for denyhosts to block.ls -l password.txt  Using BruteSSH
		Instructions:
			python brutessh.py -help
				The -help flag produced the usage 
				options.  Using BruteSSH Against DenyHosts
		Note(FYI):
		Replace
		192.168.1.105 
		with Fedora's IP Address obtained from (Section 3, Step 4).Instructions:
			python brutessh.py -h
			
			192.168.1.105 -u root -d password.txt   
			
				| Section 10: Testing 
				Blocked SSH Traffic from BackTrack to Fedora |  
	Testing Blocked SSH Connection (On 
	BackTrack5R1)
		Note(FYI):
		Replace
		192.168.1.105 
		with Fedora's IP Address obtained from (Section 3, Step 4).Instructions:
			ssh
			
			student@192.168.1.105
				Note: 
				DenyHosts on the Fedora server is now blocking the ssh protocol 
				from connecting to port 22.telnet 
			192.168.1.105 22
				Here I am testing to see if IP 
				Addressed is really blocked or if just SSH traffic is blocked.Note: Although BackTrack SSH 
				traffic is now blocked, it is still possible to connect using TCP 
				over port 22.    
			
				| Section 11: 
				Analyzing Fedora Deny Host Logs |  
	Analyzing Fedora Deny Host Logs (On 
	Fedora)
		Note(FYI):
			Replace
			
			192.168.1.106 with BackTracks's IP Address obtained from 
			(Section 6, Step 2).Instructions:
			grep sshd /etc/hosts.deny | tee 
			brute.txt
				The hosts.deny file contains all 
				the IP Addresses that have been blocked by the denyhosts daemon.grep -i "Failed password" /var/log/secure 
			| grep "192.168.1.106" 
			| tee -a brute.txt
				Search the /var/log/secure file for 
				the phrase "Failed password" AND IP Address "192.168.1.106".   
			
				| Section 14: Unblock 
				BackTrack |  
	Stop rsyslog and denyhosts (On 
	Fedora)
		Instructions:
			fuser /var/log/secure
				The command fuser identifies 
				Process IDs (PID)s that have open sockets to a file.Notice that PIDs 2715 and 2738 
				currently have open sockets to the secure file.ps -eaf | grep -v grep | egrep 
			'(2715|2738)'
				Replace 2715 and 2738 with the 
				Process IDs (PIDs) 
				that fuser lists in your session.service rsyslog stopservice denyhosts stopfuser /var/log/secure
				Notice no Process IDs are returned.  Scrub the hosts.deny file
		Note(FYI):
			Replace
			
			192.168.1.106 with BackTracks's IP Address obtained from 
			(Section 6, Step 2).Instructions:
			cd /etcgrep -v "192.168.1.106" 
			hosts.deny > hosts.deny.newgrep "192.168.1.106" 
			hosts.deny.new | wc -lmv hosts.deny hosts.deny.oldmv hosts.deny.new hosts.deny  Scrub the secure file
		Note(FYI):
			Replace
			
			192.168.1.106 with BackTracks's IP Address obtained from 
			(Section 6, Step 2).Instructions:
			cd /var/log/grep -v "192.168.1.106" 
			secure > secure.newgrep "192.168.1.106" 
			secure.new | wc -lmv secure secure.oldmv secure.new secure  Scrub the denyhosts file
		Note(FYI):
			Replace
			
			192.168.1.106 with BackTracks's IP Address obtained from 
			(Section 6, Step 2).Instructions:
			cd /var/log/grep -v "192.168.1.106" 
			denyhosts > denyhosts.newmv denyhosts denyhosts.oldmv denyhosts.new denyhosts  Start syslog and denyhosts
		Instructions:
			service rsyslog startservice denyhosts start   
			
				| Section 15: Test SSH 
				From BackTrack To Fedora |  
	Test SSH Connection from BackTrack to Fedora (On 
	BackTrack)
		Note(FYI):
			Replace
			
			192.168.1.105 with Fedora's IP Address obtained from (Section 
			3, Step 4).Instructions:
			ssh
			student@192.168.1.105 
			"hostname"Provide Password.   
	Proof of Lab
		Instructions:
			cdcat brute.txtdateecho "Your Name"
				Replace the string "Your Name" with 
				your actual name.e.g., echo "John Gray"
		Proof of Lab 
		Instructions
			Do a <PrtScn>Paste into a word documentUpload to Moodle   | 
    
 
  
		
		
		 |