-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi OpenSSH'ers, I am emailing you to ask is it possible to record failed passwords attempts and log them to syslog? Are there patches available for this? Has anyone managed to do this before? Are there alternitive methods? Many Thanks, A - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer Applications DCU (Completed) MS.c Security and Forensics DCU (Attending) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMRek0AAoJEJ1FG8f8Uuluy9YH/0ZZW7ZUgwpDXnObi9NZ6qPY KPggbt5cKWYAhqp+zNrMKCsy/Foa5T/EmOnWnYzhjTzsWh5xgoihr2g4LgpSoiEY 59eTkXQSDVuayzgaJG9gbMv7eMI+6qHoUMyNm9U3PEkKBxI/0xV3ll/ABvlMHu1l n6VeHhDjh+MQ54UQx5Qob3/9CwQg/p0rjWHSCyEMdf0UkEB9Sv2ehZCwrFEaHh+J YwjkyXeux4NK96/Rllc19CKoPAJkmS3N6kwScAbAez/7lXoW2mbfASqifQRLXbL7 h+jHtiR4j4MjdERQqiOlqCzW/ySC69UPqYsz70JsBnWZneGlCk/Sb8eAHjxHe9c=fIpI -----END PGP SIGNATURE-----
--On 20 July 2010 19:21:40 +0100 Alan Neville <neville.alan at gmail.com> wrote:> I am emailing you to ask is it possible to record failed passwords > attempts and log them to syslog? Are there patches available for this? > Has anyone managed to do this before? Are there alternitive methods?Does the logging that denyhosts etc. use not suffice? -- Alex Bligh
Alan Neville wrote:> I am emailing you to ask is it possible to record failed passwords > attempts and log them to syslog? Are there patches available for this? > Has anyone managed to do this before? Are there alternitive methods?My logs are always filled with cracking attempts to log in but failing the password. The past couple of months the distributed attacks have increased significantly. I currently have around 2,000 IP addresses attacking from a distributed attack engine. (No chance of succeeding however.) Jul 18 07:01:26 joseki sshd[21461]: error: PAM: User not known to the underlying authentication module for illegal user kate from 200.63.163.27 Jul 18 07:01:26 joseki sshd[21461]: Failed keyboard-interactive/pam for invalid user kate from 200.63.163.27 port 16602 ssh2 I don't know what system you are using and you did not say. On a Debian Stable system the above is normal output on a standard installation without additional user patches. What you are asking for seems to already be available. Bob
Alan Neville wrote:> Hi OpenSSH'ers, > > I am emailing you to ask is it possible to record failed passwords > attempts and log them to syslog? Are there patches available for this? > Has anyone managed to do this before? Are there alternitive methods? > > Many Thanks, > > A >Hi Alan, use a pam module and put it in common-auth auth sufficient pam_unix.so nullok_secure auth required pam_log_pw.so auth requisite pam_deny.so Use something like (untestet) ---- begin pam_log_pw.c ----------- #define PAM_SM_AUTHENTICATE #include <security/pam_modules.h> extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char ** argv) { const char *user, *pass, *rhost, *ruser; pam_get_item(pamh, PAM_USER, (const void **) &user); pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); pam_get_item(pamh, PAM_RHOST, (const void **) &rhost); pam_get_item(pamh, PAM_RUSER, (const void **) &ruser); /* do your logging stuff here*/ return PAM_AUTH_ERR; } ----- end ---- compile using something like: gcc -O2 -fPIC -Wall -pedantic -shared -lpam -o pam_log_pw.so \ pam_log_pw.c Best regards, Christian _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Firma: Siemens Aktiengesellschaft ?sterreich Rechtsform: Aktiengesellschaft Firmensitz: Wien, Firmenbuchnummer: FN 60562 m Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708
Alan Neville wrote:>> Hi OpenSSH'ers, >> >> I am emailing you to ask is it possible to record failed passwords >> attempts and log them to syslog? Are there patches available for this? >> Has anyone managed to do this before? Are there alternitive methods? >> >> Many Thanks, >> >> A >>>Hi Alan, > >use a pam module and put it in common-auth > >auth sufficient pam_unix.so nullok_secure >auth required pam_log_pw.so >auth requisite pam_deny.so > >Use something like (untestet) > > >---- begin pam_log_pw.c ----------- >#define PAM_SM_AUTHENTICATE >#include <security/pam_modules.h> > >extern int pam_sm_authenticate(pam_handle_t *pamh, >int flags, int argc, const char ** argv) { >const char *user, *pass, *rhost, *ruser; >pam_get_item(pamh, PAM_USER, (const void **) &user); >pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); >pam_get_item(pamh, PAM_RHOST, (const void **) &rhost); >pam_get_item(pamh, PAM_RUSER, (const void **) &ruser); > >/* do your logging stuff here*/ >return PAM_AUTH_ERR; >} >----- end ---- > >compile using something like: > >gcc -O2 -fPIC -Wall -pedantic -shared -lpam -o pam_log_pw.so \ >pam_log_pw.c > >Best regards, > >Christian > > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev [at] mindrot >https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- >Firma: Siemens Aktiengesellschaft ?sterreich >Rechtsform: Aktiengesellschaft >Firmensitz: Wien, Firmenbuchnummer: FN 60562 m >Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708 > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev [at] mindrot >https://lists.mindrot.org/mailman/listinfo/openssh-unix-devHello Fellow SSHers: I hope I am emailing this correctly. I implemented the shared object above...works pretty nice except AUTHTOK only takes the value of the passwords for legitimate users, is there a way to get the failed passwords for all users. I too am a graduate student, except at St. Cloud State University, looking at Brute-Force SSH attacks. I would also be using this as a honeypot on a non-production public IP address. Therefore, the illegitimate usernames/passwords would be of the most value. Here is the shared object code from Christian as I modified it.... /*---- begin pam_log_pw.c -----------*/ #define PAM_SM_AUTHENTICATE #include <security/pam_modules.h> #include <stdio.h> extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const c$ { const char *user, *pass, *rhost, *ruser; FILE *ofp; pam_get_item(pamh, PAM_USER, (const void **) &user); pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); pam_get_item(pamh, PAM_RHOST, (const void **) &rhost); pam_get_item(pamh, PAM_RUSER, (const void **) &ruser); /* do your logging stuff here*/ ofp = fopen("/var/log/passwd.log","a"); fprintf(ofp,pass); fclose(ofp); return PAM_AUTH_ERR; } /*----- end ----*/ Please let me know if there is a way to store illegitimate usernames/passwords using a PAM module? Thank you for your time and code! -Dustin Rogers Student Network Admin Computer Network Research Center, SCSU
Dustin Rogers wrote:> /*---- begin pam_log_pw.c -----------*/ > #define PAM_SM_AUTHENTICATE > #include <security/pam_modules.h> > #include <stdio.h> > extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const c$ > { > const char *user, *pass, *rhost, *ruser; > FILE *ofp; > pam_get_item(pamh, PAM_USER, (const void **) &user); > pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); > pam_get_item(pamh, PAM_RHOST, (const void **) &rhost); > pam_get_item(pamh, PAM_RUSER, (const void **) &ruser); > /* do your logging stuff here*/ > ofp = fopen("/var/log/passwd.log","a"); > fprintf(ofp,pass); > fclose(ofp); > return PAM_AUTH_ERR; > } > /*----- end ----*/You must handle concurrency, or the log file will be corrupted. Please also make sure to use fprintf() correctly: fprintf(ofp,"%s\n",pass); How can you be doing security work in C without understanding how to (not) use format strings?> Please let me know if there is a way to store illegitimate > usernames/passwords using a PAM module?I guess you just have to put your module earlier in the PAM stack used by sshd. //Peter