Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: [SOLVED] ssh store password attempts in auth.log

  1. #1
    Join Date
    Feb 2007
    Beans
    160
    Distro
    Gutsy Gibbon Testing

    [SOLVED] ssh store password attempts in auth.log

    I'm wondering if it's possible for sshd to store passwords in auth.log. Before people get on a privacy rant, I'm on a personal server used only by myself with a banner that notifies people that all information is recorded. Yet I do have a domain name, and I'm getting over 10k hits/day. I'm not necessarily interested in storing correct passwords, but rather wrong passwords. I've tried upping the logging information to Fascist, and up through Debug3, but no luck.

    Does anyone know it there's an option somewhere that I'm missing, or if there's a patch that will do this? If not, does anyone know where in the source the info is written to the log?
    Dell XPS M1530
    Core 2 Duo T8100 @ 2.10GHz | 4GB RAM
    320GB HDD | 256MB nVidia GeForce Go 8600M GT
    Registered Linux User: #441660 | Registered Ubuntu User: #11700

  2. #2
    Join Date
    Feb 2007
    Beans
    160
    Distro
    Gutsy Gibbon Testing

    Re: ssh store password attempts in auth.log

    bump

    Anybody?
    Dell XPS M1530
    Core 2 Duo T8100 @ 2.10GHz | 4GB RAM
    320GB HDD | 256MB nVidia GeForce Go 8600M GT
    Registered Linux User: #441660 | Registered Ubuntu User: #11700

  3. #3
    Join Date
    Jun 2008
    Location
    NYC
    Beans
    6

    Re: ssh store password attempts in auth.log

    Quote Originally Posted by mrpeenut24 View Post
    I'm not necessarily interested in storing correct passwords, but rather wrong passwords.
    But you'd end up writing valid passwords to a log file, too, and you really don't want to do that. What are you ultimately trying to achieve by logging passwords used in failed login attempts? There might be a better, more secure way to find what you're looking for.

    -Coyle

  4. #4
    Join Date
    May 2007
    Location
    Phoenix, Arizona USA
    Beans
    2,909
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: ssh store password attempts in auth.log

    You're nuts! Do you have any idea how many attempts to get in occur on a normal day? If I watch them in real time on the console they just continually scroll by. Just the amount of data would be huge and like coyled said for what? If you just want a passowrd file there are many out there free for tools like John the Ripper and other password cracking tools.

    To measure web traffic, what really counts is page views and unique visitors. Hits is not really indicative of total traffic. When you have 10,000 page views per day then you are just turning the corner.

    -Tim
    Last edited by windependence; June 29th, 2008 at 10:45 AM. Reason: add more comments
    www.pcchopshop.net

    Hard to find and obsolete PC and server parts. "If we can't find it, it probably doesn't exist"

  5. #5
    Join Date
    Feb 2007
    Beans
    160
    Distro
    Gutsy Gibbon Testing

    Re: ssh store password attempts in auth.log

    coyled: not necessarily. If done right, the password can be written to the file when the authentication fails. See this:

    Jun 29 07:13:33 www sshd[6170]: Invalid user federal from 123.140.245.23
    Jun 29 07:13:33 www sshd[6170]: pam_unix(sshd:auth): check pass; user unknown
    Jun 29 07:13:33 www sshd[6170]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.140.245.23
    Jun 29 07:13:36 www sshd[6170]: Failed password for invalid user federal from 123.140.245.23 port 36942 ssh2
    compared to:

    Jun 29 07:09:31 www sshd[5995]: Accepted password for mrpeenut24 from 192.168.1.101 port 45748 ssh2
    Jun 29 07:09:31 www sshd[5999]: pam_unix(sshd:session): session opened for user mrpeenut24 by (uid=0)
    These are obviously two different outputs being printed to the log. It shouldn't be difficult to modify it to write the incorrect password along with the login attempt.


    I would like to be able to graph the use of passwords with users to see if there's any correlation. I'm making a honeypot for a school netsec independent study project and would like some extra information. I'm already able to see which names are used most often (and how often), which IPs send the most login attempts, and I think passwords would be a useful addition to the information I collect. Even so, I'm the only one with login access to this computer, so logging correct passwords wouldn't be so bad. If it gets compromised I can easily wipe it and start over.


    windependece, I'm not talking about HTTP traffic, I'm talking about ssh login attempts. The data is already logged. Check /var/log/auth.log. In fact, I believe it never deletes those logs, gzipping them instead, so the information collection isn't a problem. Using grep & awk I can easily pull out the data I need, so I don't have to sort through it all. It's also not a matter of collecting passwords just so I can use them to brute force, it's a matter of collecting real-world data to use in a presentation.


    If you guys don't know of a patch or option variable, I can edit the code myself and reinstall ssh. The only problem then would be updating.

    -mrpeenut



    EDIT:
    mrpeenut24@www:/var/log$ wc auth.log.0
    10145 131198 1046675 auth.log.0
    10145 / 5 = 2029 login attempts last week, give or take
    Last edited by mrpeenut24; June 29th, 2008 at 12:54 PM.
    Dell XPS M1530
    Core 2 Duo T8100 @ 2.10GHz | 4GB RAM
    320GB HDD | 256MB nVidia GeForce Go 8600M GT
    Registered Linux User: #441660 | Registered Ubuntu User: #11700

  6. #6
    Join Date
    Jan 2006
    Location
    United Kingdom
    Beans
    2,787
    Distro
    Kubuntu 6.06 Dapper

    Re: ssh store password attempts in auth.log

    MrPeenut,

    That sounds like an interesting little project. If you've not already seen it you might like to take a look at the patch from this blog for either a ready-baked solution or some idea of how you can modify your SSH server to do likewise.

    Do post back with any successes/failure as I'm sure it'd be of interest to others.

    Mathew
    www.NewtonNet.co.uk - Now supporting IPv6!

    ~ Please don't use PM's to request assistance - post your query on the forum and share the discussion - if you've got a problem chances are you won't be the only one! ~

  7. #7
    Join Date
    Feb 2007
    Beans
    160
    Distro
    Gutsy Gibbon Testing

    Re: ssh store password attempts in auth.log

    So far, looking in OpenBSD's openssh-5.0p1 in auth.c I can see this:

    Code:
    if (authctxt->postponed)
            authmsg = "Postponed";
        else
            authmsg = authenticated ? "Accepted" : "Failed";
    
       authlog("%s %s for %s%.100s from %.200s port %d%s",
            authmsg,
            method,
            authctxt->valid ? "" : "invalid user ",
            authctxt->user,
            get_remote_ipaddr(),
            get_remote_port(),
            info);
    It looks like both success and fail are logged in a single command. That wouldn't be a problem though. I'll keep looking and check out that link. Thanks MJN.

    -mrpeenut
    Dell XPS M1530
    Core 2 Duo T8100 @ 2.10GHz | 4GB RAM
    320GB HDD | 256MB nVidia GeForce Go 8600M GT
    Registered Linux User: #441660 | Registered Ubuntu User: #11700

  8. #8
    Join Date
    Feb 2007
    Beans
    160
    Distro
    Gutsy Gibbon Testing

    Re: ssh store password attempts in auth.log

    MJN, that works great! Thanks. That'll also make sifting through the logs easier too, and keep the auth.log intact.




    EDIT: That patch (linked on that page) was for 4.7p1, but it worked on 5.0p1 in case anyone was wondering.
    Last edited by mrpeenut24; June 29th, 2008 at 02:26 PM.
    Dell XPS M1530
    Core 2 Duo T8100 @ 2.10GHz | 4GB RAM
    320GB HDD | 256MB nVidia GeForce Go 8600M GT
    Registered Linux User: #441660 | Registered Ubuntu User: #11700

  9. #9
    Join Date
    Jan 2006
    Location
    United Kingdom
    Beans
    2,787
    Distro
    Kubuntu 6.06 Dapper

    Re: ssh store password attempts in auth.log

    Wow that was quick - nice work!

    Mathew
    www.NewtonNet.co.uk - Now supporting IPv6!

    ~ Please don't use PM's to request assistance - post your query on the forum and share the discussion - if you've got a problem chances are you won't be the only one! ~

  10. #10
    Join Date
    Jun 2008
    Location
    NYC
    Beans
    6

    Re: ssh store password attempts in auth.log

    Quote Originally Posted by mrpeenut24 View Post
    I'm making a honeypot for a school netsec independent study project and would like some extra information.
    Ah, ok. You could do this via PAM, and you wouldn't have to worry about re-patching sshd any time you want to upgrade it. Check out pam_storepw [ http://silicon-verl.de/home/flo/software/pamcifs.html ] for a starting point.

    -Coyle

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •