LongTail is both a honeypot and a set of programs that analyze ssh brute force login attempts. It performs not only the standard what passwords are being tried, also analyzes them based on accounts tried. Where LongTail goes that nobody else currently does is that it groups them into attack patterns, and then provably groups attacking IP addresses into botnets that are controlled by a single person or group of people. This talk contains light technical details on how this is done so it can be followed by non-technical staff, but is technical enough that the results can be reproduced by technical staff.

Eric Wedaa has been involved with Unix System Administrations since 1987, and while currently not a security officer by title, Eric has been actively involved with Unix security since 1992, and has recently released LongTail Log Analysis, an ssh brute force attack analysis tool. This is the first publicly released tool that not only does a basic analysis of ssh login attempts, but also can group them into botnets based on similar attack patterns.

Back to Derbycon 2015 video list