FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-15-2009, 05:38 PM
Thierry Chatelet
 
Default Logging passwords of SSH attacks

On Thursday 15 January 2009 19:10:44 Dotan Cohen wrote:
> I get a few thousands of these every day in the logs:
> Illegal users from:
> 70.85.222.106 (sales.gbdweb.com): 518 times
> anna/password: 1 time
> apache/password: 1 time
> arthur/password: 1 time
> attack/password: 1 time
> awharton/password: 1 time
>
> How can I start logging the passwords attempted as well as the
> usernames? Thanks.

You can try fail2ban to first cick the attaquer out.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2009, 08:50 AM
"Dotan Cohen"
 
Default Logging passwords of SSH attacks

2009/1/15 Thierry Chatelet <tchatelet@free.fr>:
> You can try fail2ban to first cick the attaquer out.
>

I am not that interested in the particular attacker, but I am
interested in knowing what passwords are being attempted.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-16-2009, 12:24 PM
 
Default Logging passwords of SSH attacks

On Thu, Jan 15, 2009 at 08:10:44PM +0200, Dotan Cohen wrote:
> How can I start logging the passwords attempted as well as the
> usernames? Thanks.

I don't think the standard SSH daemon can log passwords. After all it
would be a security risk if passwords started appearing in log files.

As I understand it, you would need to alter the source code of the SSH
daemon and rebuild it to get that functionality. People doing that
though usually only run the modified SSH on a 'honeypot' box that is
there purely to capture log in attempts for further analysis.

Gavin


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2009, 12:25 PM
Florian Mickler
 
Default Logging passwords of SSH attacks

On Thu, 15 Jan 2009 20:10:44 +0200
"Dotan Cohen" <dotancohen@gmail.com> wrote:

> I get a few thousands of these every day in the logs:
> Illegal users from:
> 70.85.222.106 (sales.gbdweb.com): 518 times
> anna/password: 1 time
> apache/password: 1 time
> arthur/password: 1 time
> attack/password: 1 time
> awharton/password: 1 time
>
> How can I start logging the passwords attempted as well as the
> usernames? Thanks.
>
That's not possible without hacking in the ssh-sourcecodes, I assume.

It would be a security nightmare to have the passwords of users being
logged. even if it would only be on failed attempts. people
often confuse which password they have to enter where, and thus valid
passwords would wander into the logs for malicous people to collect and
use at other sites.

sincerely,
Florian
 
Old 01-16-2009, 12:45 PM
"Dotan Cohen"
 
Default Logging passwords of SSH attacks

2009/1/16 Florian Mickler <florian@mickler.org>:

>> How can I start logging the passwords attempted as well as the
>> usernames? Thanks.
>>
> That's not possible without hacking in the ssh-sourcecodes, I assume.
>
> It would be a security nightmare to have the passwords of users being
> logged. even if it would only be on failed attempts. people
> often confuse which password they have to enter where, and thus valid
> passwords would wander into the logs for malicous people to collect and
> use at other sites.
>

While in general I agree, in this case you could say that I am sitting
here as a honeypot. No legitimate users will try connecting via SSH on
port 22, and certainly not over the big bad internet. The only reason
that I have sshd running here is for another machine on the LAN to ssh
in on a different port.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-16-2009, 12:50 PM
"Om Prakash Singh //Kotak /Bank"
 
Default Logging passwords of SSH attacks

If I am not wrong in this issue I would rather suggest that one can
check the login attempts by users in their system log files. As the
syslog system logs all the user.info and user.error messages in
/var/log/messages or syslog file.





Regards,
Om Prakash Singh

Please report the problems smartly and accurately by providing all the
relevant details. It will help me answer you quickly.



-----Original Message-----
From: Dotan Cohen [mailto:dotancohen@gmail.com]
Sent: Friday, January 16, 2009 7:15 PM
To: Florian Mickler
Cc: debian-user @ lists. debian. org
Subject: Re: Logging passwords of SSH attacks

2009/1/16 Florian Mickler <florian@mickler.org>:

>> How can I start logging the passwords attempted as well as the
>> usernames? Thanks.
>>
> That's not possible without hacking in the ssh-sourcecodes, I assume.
>
> It would be a security nightmare to have the passwords of users being
> logged. even if it would only be on failed attempts. people often
> confuse which password they have to enter where, and thus valid
> passwords would wander into the logs for malicous people to collect
> and use at other sites.
>

While in general I agree, in this case you could say that I am sitting
here as a honeypot. No legitimate users will try connecting via SSH on
port 22, and certainly not over the big bad internet. The only reason
that I have sshd running here is for another machine on the LAN to ssh
in on a different port.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü


DISCLAIMER:
This communication is confidential and privileged and is directed to and for the use of the addressee only. The recipient if not the addressee should not use this message if erroneously received, and access and use of this e-mail in any manner by anyone other than the addressee is unauthorized. The recipient acknowledges that Kotak Mahindra Bank may be unable to exercise control or ensure or guarantee the integrity of the text of the email message and the text is not warranted as to completeness and accuracy. Before opening and accessing the attachment, if any, please check and scan for virus.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2009, 01:58 PM
Jeff Soules
 
Default Logging passwords of SSH attacks

> While in general I agree, in this case you could say that I am sitting
> here as a honeypot. No legitimate users will try connecting via SSH on
> port 22, and certainly not over the big bad internet. The only reason
> that I have sshd running here is for another machine on the LAN to ssh
> in on a different port.

That would seem to reduce the difficulties associates with logging
random users' passwords. However, that makes me wonder what the point
is -- are you just curious as to how random crackers start their
dictionary attacks?

Besides, if you're only SSHing on the lan, you might be better off
from a security standpoint by just dropping foreign-IP packets to 22
and whatever SSH port you actually use. If there is no legitimate
traffic, why even give attackers a login prompt?



On Fri, Jan 16, 2009 at 8:45 AM, Dotan Cohen <dotancohen@gmail.com> wrote:
> 2009/1/16 Florian Mickler <florian@mickler.org>:
>
>>> How can I start logging the passwords attempted as well as the
>>> usernames? Thanks.
>>>
>> That's not possible without hacking in the ssh-sourcecodes, I assume.
>>
>> It would be a security nightmare to have the passwords of users being
>> logged. even if it would only be on failed attempts. people
>> often confuse which password they have to enter where, and thus valid
>> passwords would wander into the logs for malicous people to collect and
>> use at other sites.
>>
>
> While in general I agree, in this case you could say that I am sitting
> here as a honeypot. No legitimate users will try connecting via SSH on
> port 22, and certainly not over the big bad internet. The only reason
> that I have sshd running here is for another machine on the LAN to ssh
> in on a different port.
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
> ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
> А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
> а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
> ä-ö-ü-ß-Ä-Ö-Ü
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2009, 03:03 PM
"Dotan Cohen"
 
Default Logging passwords of SSH attacks

2009/1/16 Jeff Soules <soules@gmail.com>:
>> While in general I agree, in this case you could say that I am sitting
>> here as a honeypot. No legitimate users will try connecting via SSH on
>> port 22, and certainly not over the big bad internet. The only reason
>> that I have sshd running here is for another machine on the LAN to ssh
>> in on a different port.
>
> That would seem to reduce the difficulties associates with logging
> random users' passwords. However, that makes me wonder what the point
> is -- are you just curious as to how random crackers start their
> dictionary attacks?
>

Yes.

> Besides, if you're only SSHing on the lan, you might be better off
> from a security standpoint by just dropping foreign-IP packets to 22
> and whatever SSH port you actually use. If there is no legitimate
> traffic, why even give attackers a login prompt?
>

Just to see what they are doing.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-16-2009, 03:04 PM
"Dotan Cohen"
 
Default Logging passwords of SSH attacks

2009/1/16 Gavin Elliot Jones <gavin@grassfield.co.uk>:
> On Thu, Jan 15, 2009 at 08:10:44PM +0200, Dotan Cohen wrote:
>> How can I start logging the passwords attempted as well as the
>> usernames? Thanks.
>
> I don't think the standard SSH daemon can log passwords. After all it
> would be a security risk if passwords started appearing in log files.
>
> As I understand it, you would need to alter the source code of the SSH
> daemon and rebuild it to get that functionality. People doing that
> though usually only run the modified SSH on a 'honeypot' box that is
> there purely to capture log in attempts for further analysis.
>

I see, Gavin, and I do agree that this is honeypot area. Thanks.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-16-2009, 03:57 PM
Sjoerd Hardeman
 
Default Logging passwords of SSH attacks

Dotan Cohen wrote:

2009/1/16 Gavin Elliot Jones <gavin@grassfield.co.uk>:

On Thu, Jan 15, 2009 at 08:10:44PM +0200, Dotan Cohen wrote:

How can I start logging the passwords attempted as well as the
usernames? Thanks.

I don't think the standard SSH daemon can log passwords. After all it
would be a security risk if passwords started appearing in log files.

As I understand it, you would need to alter the source code of the SSH
daemon and rebuild it to get that functionality. People doing that
though usually only run the modified SSH on a 'honeypot' box that is
there purely to capture log in attempts for further analysis.



I see, Gavin, and I do agree that this is honeypot area. Thanks.


I would try either honeyd or tinyhoneypot for that. You don't need a
full blown ssh dameon for this.


Sjoerd

--
() ascii ribbon campaign - against html e-mail
/ www.asciiribbon.org - against proprietary attachments
 

Thread Tools




All times are GMT. The time now is 12:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org