An IRC bot which monitors for compromised embedded devices being used as proxies
William Pitcock 345a88d8bc add support for submitting to DroneBL and dnsbl.im DNSBLs 2 months ago
.gitignore add antissh bot proof of concept 2 months ago
.gitmodules add ircreactor submodule 2 months ago
LICENSE Initial commit 2 months ago
README.md update a few more things 2 months ago
antissh.conf.example add support for submitting to DroneBL and dnsbl.im DNSBLs 2 months ago
antissh.py add support for submitting to DroneBL and dnsbl.im DNSBLs 2 months ago
requirements.txt add support for submitting to DroneBL and dnsbl.im DNSBLs 2 months ago

README.md

antissh

An IRC bot which monitors for compromised embedded devices being used as proxies.

background

In 2018, there was a resurgence of IRC spam attacks that were undetected by traditional proxy scanning methods. This is because the attackers were using vulnerable SSH daemons running on routers, IPMI devices and other embedded devices to proxy the connections, using the direct-tcpip subsystem.

antissh is a bot which scans incoming IRC connections for this vulnerability, and bans hosts which have it from your network, similar to how HOPM does this for normal proxies.

antissh is sufficiently capable of stopping the IRC spam bots that they IRC spam bots, themselves, have been advertising it, in an attempt to prolong the life of their 'botnet.'

usage

$ pip3 install -r requirements.txt
$ cp antissh.conf.example antissh.conf
$ vi antissh.conf
$ python3.6 antissh.py antissh.conf

You should probably use this under a supervisor such as OpenRC's supervise-daemon(8), systemd, s6, runit, etc.

known issues

asyncssh is kind of slow, would be nice to write an implementation of this bot in C, Go, Elixir or something faster. But, I will leave that to somebody else.