Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Restoring ssh session
From: "Michael Rutledge" <michael4447 () gmail com>
Date: Wed, 31 May 2006 16:33:17 -0500

You could grab the source for sshd and recompile with a small
modification to add in password logging.  Granted, as
john.fellers () gmail com says, you will expose any legitimate password
logins by doing this, but if you only use public key logins yourself
(and your users if you have any) those will not show up.  Depending on
the version of sshd you use, you can add a single line to do this (on
OpenSSH_4.2p1):
(in the source file auth-passwd.c):

int auth_password(Authctxt *authctxt, const char *password)
{
       logit("Password: %s",password);  /* This line adds password logging */
       struct passwd * pw = authctxt->pw;
       int result, ok = authctxt->valid;
... and so on

The "logit" line will add "Password: thepasswordused" in your security
log for each password attempt (check to see if "logit" is the correct
function in your version of openssh).  I have a setup like this and
have syslog email me the log.  Having your email contain your
/var/log/secure is not the most secure option, but if it is a test box
and you want to see the password trends, it is really convenient and
works well.

This method can be found other places on the web for different
versions of sshd as well.

-Michael

On 26 May 2006 19:19:43 -0000, john.fellers () gmail com
<john.fellers () gmail com> wrote:
I assume that you are not using these for legitimet login reasons, otherwise you could compromise the security of your 
own server by storing legitimet user/pass combinations in the same file.


If this is the case and you aren't using these ports for anything production I would recommend installing a listener on those ssh 
ports. You could then log anything they type in. You could even write your own "fake" ssh server to present the user with a login 
prompt, ie. login: , so they aren't thrown off.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]