FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-16-2009, 04:16 PM
"Dotan Cohen"
 
Default Logging passwords of SSH attacks

2009/1/16 Sjoerd Hardeman <sjoerd@lorentz.leidenuniv.nl>:
> I would try either honeyd or tinyhoneypot for that. You don't need a full
> blown ssh dameon for this.
>

Thank you Sjoerd. I do, however, need sshd for the legitimate user who
logs into this system. I googled a bit of honeyd but do not see if it
will interfere with the real sshd. Have you any knowledge about this?

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-16-2009, 04:22 PM
Sjoerd Hardeman
 
Default Logging passwords of SSH attacks

Dotan Cohen wrote:

2009/1/16 Sjoerd Hardeman <sjoerd@lorentz.leidenuniv.nl>:

I would try either honeyd or tinyhoneypot for that. You don't need a full
blown ssh dameon for this.



Thank you Sjoerd. I do, however, need sshd for the legitimate user who
logs into this system. I googled a bit of honeyd but do not see if it
will interfere with the real sshd. Have you any knowledge about this?

I don't have experience. My understanding is that honeyd is for setting
up fake systems with many fake services, which also allows fake break-ins.

tinyhoneypot seems just to offer fake services which logs all that happens.
But, wouldn't it be wise to run a honeypot on port 22, and a real ssh on
a completely different port? Of course a good user/password choice isn't
easily brute-forced, but not running a real ssh as a honeypot seems far
more secure to me.


Sjoerd


--
() ascii ribbon campaign - against html e-mail
/ www.asciiribbon.org - against proprietary attachments
 
Old 01-16-2009, 05:07 PM
Osamu Aoki
 
Default Logging passwords of SSH attacks

On Fri, Jan 16, 2009 at 07:16:41PM +0200, Dotan Cohen wrote:
> 2009/1/16 Sjoerd Hardeman <sjoerd@lorentz.leidenuniv.nl>:
> > I would try either honeyd or tinyhoneypot for that. You don't need a full
> > blown ssh dameon for this.
> >
>
> Thank you Sjoerd. I do, however, need sshd for the legitimate user who
> logs into this system. I googled a bit of honeyd but do not see if it
> will interfere with the real sshd. Have you any knowledge about this?

If you atill want password login to ssh, look into knockd package.

Osamu

> ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي

Hmmm... I am missing 200d


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2009, 05:20 PM
"Dotan Cohen"
 
Default Logging passwords of SSH attacks

2009/1/16 Osamu Aoki <osamu@debian.org>:
> If you atill want password login to ssh, look into knockd package.
>

Thanks, I will google that.

>> ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
>
> Hmmm... I am missing 200d
>

Did I miss a letter? Can you provide me with a complete alphabet? I
use these letters to build a dictionary of wrongly-encoded text to
translate Gibberish to Arabic (And Hebrew, German, Russian).

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-16-2009, 05:40 PM
Osamu Aoki
 
Default Logging passwords of SSH attacks

On Fri, Jan 16, 2009 at 08:20:57PM +0200, Dotan Cohen wrote:
> 2009/1/16 Osamu Aoki <osamu@debian.org>:
> > If you atill want password login to ssh, look into knockd package.
> >
>
> Thanks, I will google that.
>
> >> ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
> >
> > Hmmm... I am missing 200d
> >
>
> Did I miss a letter? Can you provide me with a complete alphabet? I
> use these letters to build a dictionary of wrongly-encoded text to
> translate Gibberish to Arabic (And Hebrew, German, Russian).

I see ... When I read your mail in mutt, it is OK.
Just space following "ﻩ".

> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
> ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
> А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
> а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
> ä-ö-ü-ß-Ä-Ö-Ü

When writing back, "ﻩ" is followed by <200d> in vim.

[not a printable character]
U+200D ZERO WIDTH JOINER
General Character Properties
Unicode category: Other, Format
Various Useful Representations
UTF-8: 0xE2 0x80 0x8D
UTF-16: 0x200D
C octal escaped UTF-8: 342200215
XML decimal entity: *
Annotations and Cross References
Notes:
• commonly abbreviated ZWJ

It is mutt/vim difference for handling character display of these [not a printable character].

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2009, 06:18 PM
"Dotan Cohen"
 
Default Logging passwords of SSH attacks

2009/1/16 Osamu Aoki <osamu@debian.org>:
> When writing back, "ﻩ" is followed by <200d> in vim.
>

That is "m", no? Actually, it looks like I don't have that there.

Can you send to me your vim configuration? I have a lot of trouble
with RTL in VIM. Thanks.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-16-2009, 06:54 PM
Andr Neves
 
Default Logging passwords of SSH attacks

On Fri, Jan 16, 2009 at 15:22, Sjoerd Hardeman
<sjoerd@lorentz.leidenuniv.nl> wrote:
> But, wouldn't it be wise to run a honeypot on port 22, and a real ssh on a completely different port? Of course a good user/password choice isn't easily brute-forced, but not running a real ssh as a honeypot seems far more secure to me.

I strongly second this recommendation.

Andr


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2009, 08:22 PM
Alex Samad
 
Default Logging passwords of SSH attacks

On Fri, Jan 16, 2009 at 06:03:52PM +0200, Dotan Cohen wrote:
> 2009/1/16 Jeff Soules <soules@gmail.com>:
> >> While in general I agree, in this case you could say that I am sitting
> >> here as a honeypot. No legitimate users will try connecting via SSH on
> >> port 22, and certainly not over the big bad internet. The only reason
> >> that I have sshd running here is for another machine on the LAN to ssh
> >> in on a different port.
> >
> > That would seem to reduce the difficulties associates with logging
> > random users' passwords. However, that makes me wonder what the point
> > is -- are you just curious as to how random crackers start their
> > dictionary attacks?
> >
>
> Yes.
>
> > Besides, if you're only SSHing on the lan, you might be better off
> > from a security standpoint by just dropping foreign-IP packets to 22
> > and whatever SSH port you actually use. If there is no legitimate
> > traffic, why even give attackers a login prompt?
> >
>
> Just to see what they are doing.


why not mix the to, use fail2ban to instead of dropping the packets
sending the packets to a honeypot sshd and then log the passwords

>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
> ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
> А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
> а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
> ä-ö-ü-ß-Ä-Ö-Ü

--
"We've tripled the amount of money -- I believe it's from $50 million up to $195 million available."

- George W. Bush
03/23/2002
Lima, Peru
 
Old 01-17-2009, 10:44 AM
Tzafrir Cohen
 
Default Logging passwords of SSH attacks

On Fri, Jan 16, 2009 at 02:25:35PM +0100, Florian Mickler wrote:
> On Thu, 15 Jan 2009 20:10:44 +0200
> "Dotan Cohen" <dotancohen@gmail.com> wrote:
>
> > I get a few thousands of these every day in the logs:
> > Illegal users from:
> > 70.85.222.106 (sales.gbdweb.com): 518 times
> > anna/password: 1 time
> > apache/password: 1 time
> > arthur/password: 1 time
> > attack/password: 1 time
> > awharton/password: 1 time
> >
> > How can I start logging the passwords attempted as well as the
> > usernames? Thanks.
> >
> That's not possible without hacking in the ssh-sourcecodes, I assume.

Or alternatively the pam module that is used. Openssh here checks
passwords using PAM.

>
> It would be a security nightmare to have the passwords of users being
> logged. even if it would only be on failed attempts.

And even then it owuld give some interesting clues, as it would also log
real passwords with typos.

> people
> often confuse which password they have to enter where, and thus valid
> passwords would wander into the logs for malicous people to collect and
> use at other sites.

auth.log is only readable to sysadmins.

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-17-2009, 09:19 PM
Florian Mickler
 
Default Logging passwords of SSH attacks

On Sat, 17 Jan 2009 11:44:38 +0000
Tzafrir Cohen <tzafrir@cohens.org.il> wrote:


> > people
> > often confuse which password they have to enter where, and thus
> > valid passwords would wander into the logs for malicous people to
> > collect and use at other sites.
>
> auth.log is only readable to sysadmins.
>
<sarcasm> oh what a wonderful world </sarcasm>

The only way to prevent misuse of such information is to _not_ _log_
_it_.

If you really need to satisfy your curiosity hack the sources or look
at 'john' or something like that.

Sincerely
 

Thread Tools




All times are GMT. The time now is 01:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org