Today I took was dealing with one of the countless ssh brute force grinders running wild out there on the net. I was thinking that it would be cool if I could capture all the username/password combinations they were supplying. During a search I ran across this nifty little patch. I downloaded and attempted to use it, but could not get the patch to apply. After a bit of investigation, I determined that this patch was written for the OpenBSD-specific version of OpenSSH and would not work on OpenSSH Portable. Since I wanted to use this on my Linux box, I had modify the patch to get it work.The next thing I discovered, is that I really didn't like the logging format... The logs record Epoch time, username, password, and IP address... However, these are spread across 4 separate lines. So, a sample entry looks something like this:
1193780392
root
test
10.0.6.147
Not very easy to parse. Since I was interested in using the data for other things, I also decided to modify the logging as well. The format is still all the same fields, but now in a colon-delimited format, with one attempt per line. It now looks something like this:
1193780828:root:test2:10.0.6.147
1193788608:test:test:127.0.0.1
I've placed the patch on my Google code site for now. Its not very clean, but appears to work with the portable version of openssh for Linux. I tested it on version 4.7p1 on CentOS.
I'll attempt to clean it up and refine it later.
3 comments:
Very cool, thanks. I've been looking all over for a patch that would enable this kind of logging!
Didn't use it, but thanks.
You should say that it won't work if you're using PAM for authentication, though.
Awesome! I've been looking for a while for a patch that would do this. I followed your comment on unixcluster's site and it works great. I'm using Ubuntu Hardy Server with openssh-5.0p1. Thanks! :-D
Post a Comment