Logging passwords of SSH attacks
On Thursday 15 January 2009 19:10:44 Dotan Cohen wrote:
> I get a few thousands of these every day in the logs: > Illegal users from: > 70.85.222.106 (sales.gbdweb.com): 518 times > anna/password: 1 time > apache/password: 1 time > arthur/password: 1 time > attack/password: 1 time > awharton/password: 1 time > > How can I start logging the passwords attempted as well as the > usernames? Thanks. You can try fail2ban to first cick the attaquer out. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Logging passwords of SSH attacks
2009/1/15 Thierry Chatelet <tchatelet@free.fr>:
> You can try fail2ban to first cick the attaquer out. > I am not that interested in the particular attacker, but I am interested in knowing what passwords are being attempted. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü |
Logging passwords of SSH attacks
On Thu, Jan 15, 2009 at 08:10:44PM +0200, Dotan Cohen wrote:
> How can I start logging the passwords attempted as well as the > usernames? Thanks. I don't think the standard SSH daemon can log passwords. After all it would be a security risk if passwords started appearing in log files. As I understand it, you would need to alter the source code of the SSH daemon and rebuild it to get that functionality. People doing that though usually only run the modified SSH on a 'honeypot' box that is there purely to capture log in attempts for further analysis. Gavin -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Logging passwords of SSH attacks
On Thu, 15 Jan 2009 20:10:44 +0200
"Dotan Cohen" <dotancohen@gmail.com> wrote: > I get a few thousands of these every day in the logs: > Illegal users from: > 70.85.222.106 (sales.gbdweb.com): 518 times > anna/password: 1 time > apache/password: 1 time > arthur/password: 1 time > attack/password: 1 time > awharton/password: 1 time > > How can I start logging the passwords attempted as well as the > usernames? Thanks. > That's not possible without hacking in the ssh-sourcecodes, I assume. It would be a security nightmare to have the passwords of users being logged. even if it would only be on failed attempts. people often confuse which password they have to enter where, and thus valid passwords would wander into the logs for malicous people to collect and use at other sites. sincerely, Florian |
Logging passwords of SSH attacks
2009/1/16 Florian Mickler <florian@mickler.org>:
>> How can I start logging the passwords attempted as well as the >> usernames? Thanks. >> > That's not possible without hacking in the ssh-sourcecodes, I assume. > > It would be a security nightmare to have the passwords of users being > logged. even if it would only be on failed attempts. people > often confuse which password they have to enter where, and thus valid > passwords would wander into the logs for malicous people to collect and > use at other sites. > While in general I agree, in this case you could say that I am sitting here as a honeypot. No legitimate users will try connecting via SSH on port 22, and certainly not over the big bad internet. The only reason that I have sshd running here is for another machine on the LAN to ssh in on a different port. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü |
Logging passwords of SSH attacks
If I am not wrong in this issue I would rather suggest that one can
check the login attempts by users in their system log files. As the syslog system logs all the user.info and user.error messages in /var/log/messages or syslog file. Regards, Om Prakash Singh Please report the problems smartly and accurately by providing all the relevant details. It will help me answer you quickly. -----Original Message----- From: Dotan Cohen [mailto:dotancohen@gmail.com] Sent: Friday, January 16, 2009 7:15 PM To: Florian Mickler Cc: debian-user @ lists. debian. org Subject: Re: Logging passwords of SSH attacks 2009/1/16 Florian Mickler <florian@mickler.org>: >> How can I start logging the passwords attempted as well as the >> usernames? Thanks. >> > That's not possible without hacking in the ssh-sourcecodes, I assume. > > It would be a security nightmare to have the passwords of users being > logged. even if it would only be on failed attempts. people often > confuse which password they have to enter where, and thus valid > passwords would wander into the logs for malicous people to collect > and use at other sites. > While in general I agree, in this case you could say that I am sitting here as a honeypot. No legitimate users will try connecting via SSH on port 22, and certainly not over the big bad internet. The only reason that I have sshd running here is for another machine on the LAN to ssh in on a different port. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü DISCLAIMER: This communication is confidential and privileged and is directed to and for the use of the addressee only. The recipient if not the addressee should not use this message if erroneously received, and access and use of this e-mail in any manner by anyone other than the addressee is unauthorized. The recipient acknowledges that Kotak Mahindra Bank may be unable to exercise control or ensure or guarantee the integrity of the text of the email message and the text is not warranted as to completeness and accuracy. Before opening and accessing the attachment, if any, please check and scan for virus. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Logging passwords of SSH attacks
> While in general I agree, in this case you could say that I am sitting
> here as a honeypot. No legitimate users will try connecting via SSH on > port 22, and certainly not over the big bad internet. The only reason > that I have sshd running here is for another machine on the LAN to ssh > in on a different port. That would seem to reduce the difficulties associates with logging random users' passwords. However, that makes me wonder what the point is -- are you just curious as to how random crackers start their dictionary attacks? Besides, if you're only SSHing on the lan, you might be better off from a security standpoint by just dropping foreign-IP packets to 22 and whatever SSH port you actually use. If there is no legitimate traffic, why even give attackers a login prompt? On Fri, Jan 16, 2009 at 8:45 AM, Dotan Cohen <dotancohen@gmail.com> wrote: > 2009/1/16 Florian Mickler <florian@mickler.org>: > >>> How can I start logging the passwords attempted as well as the >>> usernames? Thanks. >>> >> That's not possible without hacking in the ssh-sourcecodes, I assume. >> >> It would be a security nightmare to have the passwords of users being >> logged. even if it would only be on failed attempts. people >> often confuse which password they have to enter where, and thus valid >> passwords would wander into the logs for malicous people to collect and >> use at other sites. >> > > While in general I agree, in this case you could say that I am sitting > here as a honeypot. No legitimate users will try connecting via SSH on > port 22, and certainly not over the big bad internet. The only reason > that I have sshd running here is for another machine on the LAN to ssh > in on a different port. > > -- > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > > א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת > ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي > А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я > а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я > ä-ö-ü-ß-Ä-Ö-Ü > -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Logging passwords of SSH attacks
2009/1/16 Jeff Soules <soules@gmail.com>:
>> While in general I agree, in this case you could say that I am sitting >> here as a honeypot. No legitimate users will try connecting via SSH on >> port 22, and certainly not over the big bad internet. The only reason >> that I have sshd running here is for another machine on the LAN to ssh >> in on a different port. > > That would seem to reduce the difficulties associates with logging > random users' passwords. However, that makes me wonder what the point > is -- are you just curious as to how random crackers start their > dictionary attacks? > Yes. > Besides, if you're only SSHing on the lan, you might be better off > from a security standpoint by just dropping foreign-IP packets to 22 > and whatever SSH port you actually use. If there is no legitimate > traffic, why even give attackers a login prompt? > Just to see what they are doing. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü |
Logging passwords of SSH attacks
2009/1/16 Gavin Elliot Jones <gavin@grassfield.co.uk>:
> On Thu, Jan 15, 2009 at 08:10:44PM +0200, Dotan Cohen wrote: >> How can I start logging the passwords attempted as well as the >> usernames? Thanks. > > I don't think the standard SSH daemon can log passwords. After all it > would be a security risk if passwords started appearing in log files. > > As I understand it, you would need to alter the source code of the SSH > daemon and rebuild it to get that functionality. People doing that > though usually only run the modified SSH on a 'honeypot' box that is > there purely to capture log in attempts for further analysis. > I see, Gavin, and I do agree that this is honeypot area. Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü |
Logging passwords of SSH attacks
Dotan Cohen wrote:
2009/1/16 Gavin Elliot Jones <gavin@grassfield.co.uk>: On Thu, Jan 15, 2009 at 08:10:44PM +0200, Dotan Cohen wrote: How can I start logging the passwords attempted as well as the usernames? Thanks. I don't think the standard SSH daemon can log passwords. After all it would be a security risk if passwords started appearing in log files. As I understand it, you would need to alter the source code of the SSH daemon and rebuild it to get that functionality. People doing that though usually only run the modified SSH on a 'honeypot' box that is there purely to capture log in attempts for further analysis. I see, Gavin, and I do agree that this is honeypot area. Thanks. I would try either honeyd or tinyhoneypot for that. You don't need a full blown ssh dameon for this. Sjoerd -- () ascii ribbon campaign - against html e-mail / www.asciiribbon.org - against proprietary attachments |
| All times are GMT. The time now is 05:14 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.