Tuesday, January 23, 2007


My home firewall runs an ssh server. Every few days, I go through my logs and find that someone has been attempting to guess account names and passwords on that server. For a while, I just allowed it to continue because I found it interesting to see what usernames were being guessed. After a few months of getting guess attempts every couple of seconds with almost no interruptions from dozens of ip addresses, I decided I didn't want to take the risk of somebody actually getting in and set up iptables rules to blackhole any ip address that sent more than ten SYN packets to ssh in less than two minutes. A friend pointed me to denyhosts, a tool to watch your logs for failed ssh attempts and put the offending host into your /etc/hosts.deny for a certain period of time. This is effectively the same as the iptables rules. Both of these methods are very effective but not as interesting as seeing all the usernames tried. So I downloaded the source for openssh-4.4p1 and made a few modifications. My new sshd:
  • Logs all connections
  • Logs usernames and passwords
  • Never opens a shell no matter what

If you'd like to set this up yourself, you can download the complete source, or if you already have the source for openssh-4.4p1, and don't want to download the whole thing just for a few modifications you can get just the diff. Then run the following commands:

tar xzvf openssh-logger.tar.gz
cd openssh-logger
./configure --prefix /usr/honey/ \
--with-privsep-path=/usr/honey/chroot \

The purpose of putting it in a strange directory is that we don't want to hose your real ssh server. If that went well, run:

make install
touch /usr/honey/chroot/sshattacks.log
chown sshd:sshd /usr/honey/chroot/sshattacks.log

Remember: if you run a real ssh server, you'll want to change the port it listens on in your /etc/ssh/sshd_config. You can add section to your ~/.ssh/config like this:

Host <hostname>
Port <real server's port>
so your client will connect to the correct server. Now everything should be set up and you should start seeing brute force attacks in /usr/honey/chroot/sshattacks.log in no more than a couple of days.

Output will look something like this:

host: port: 45677
user: root pass: root
user: root pass: t00r
user: root pass: r00t

Happy hunting!

1 comment:

Kyle said...

James was talking to me about this recently and pointed me at your blog... if you guys can get this to work in prod, we would have a great mechanism for media transfer. Keep up the great work!