Увидеть пароли, которыми брутят твой SSH-сервер

Форум — Security

Один из вариантов, который выбрал я — пропатчить OpenSSH (он используется в большинстве дистрибутивов).

Патч:

--- old/auth-passwd.c	2009-03-07
+++ new/auth-passwd.c	2013-01-30
@@ -86,6 +86,8 @@
 	static int expire_checked = 0;
 #endif
 
+	logit("auth_password: username: `%s' password: `%s'", authctxt->user, password);
+
 #ifndef HAVE_CYGWIN
 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
 		ok = 0;

Теперь мы будем в /var/log/auth.log (или где там у вас пишутся логи ssh-сервака) видеть, чем именно нас пытаются «брутить» нехорошие дяденьки:

Jan 30 08:54:46 POWER sshd[12266]: reverse mapping checking getaddrinfo for corporat190-024010011.sta.etb.net.co [190.24.10.11] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 30 08:54:46 POWER sshd[12266]: auth_password: username: `root' password: `cacutza'
Jan 30 08:54:46 POWER sshd[12266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root
Jan 30 08:54:48 POWER sshd[12266]: Failed password for root from 190.24.10.11 port 41016 ssh2
Jan 30 08:54:52 POWER sshd[12266]: auth_password: username: `root' password: `root2010'
Jan 30 08:54:53 POWER sshd[12266]: Failed password for root from 190.24.10.11 port 41016 ssh2
Jan 30 08:54:53 POWER sshd[12266]: Connection closed by 190.24.10.11 [preauth]
Jan 30 08:54:53 POWER sshd[12266]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root
Jan 30 09:06:05 POWER sshd[12275]: reverse mapping checking getaddrinfo for corporat190-024010011.sta.etb.net.co [190.24.10.11] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 30 09:06:05 POWER sshd[12275]: auth_password: username: `root' password: `cacutza'
Jan 30 09:06:06 POWER sshd[12275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root
Jan 30 09:06:08 POWER sshd[12275]: Failed password for root from 190.24.10.11 port 52188 ssh2
Jan 30 09:06:08 POWER sshd[12275]: auth_password: username: `root' password: `handler'
Jan 30 09:06:10 POWER sshd[12275]: Failed password for root from 190.24.10.11 port 52188 ssh2
Jan 30 09:06:10 POWER sshd[12275]: auth_password: username: `root' password: `centosadmin'
Jan 30 09:06:13 POWER sshd[12275]: Failed password for root from 190.24.10.11 port 52188 ssh2
Jan 30 09:06:13 POWER sshd[12275]: Connection closed by 190.24.10.11 [preauth]
Jan 30 09:06:13 POWER sshd[12275]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root
Jan 30 09:17:25 POWER sshd[12352]: reverse mapping checking getaddrinfo for corporat190-024010011.sta.etb.net.co [190.24.10.11] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 30 09:17:25 POWER sshd[12352]: auth_password: username: `root' password: `cacutza'
Jan 30 09:17:25 POWER sshd[12352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root
Jan 30 09:17:28 POWER sshd[12352]: Failed password for root from 190.24.10.11 port 41523 ssh2
Jan 30 09:17:30 POWER sshd[12352]: auth_password: username: `root' password: `private'
Jan 30 09:17:33 POWER sshd[12352]: Failed password for root from 190.24.10.11 port 41523 ssh2
Jan 30 09:17:35 POWER sshd[12352]: Connection closed by 190.24.10.11 [preauth]
Jan 30 09:17:35 POWER sshd[12352]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root
Jan 30 09:28:46 POWER sshd[12406]: reverse mapping checking getaddrinfo for corporat190-024010011.sta.etb.net.co [190.24.10.11] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 30 09:28:46 POWER sshd[12406]: auth_password: username: `root' password: `cacutza'
Jan 30 09:28:46 POWER sshd[12406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root
Jan 30 09:28:48 POWER sshd[12406]: Failed password for root from 190.24.10.11 port 50360 ssh2
Jan 30 09:28:51 POWER sshd[12406]: auth_password: username: `root' password: `root123'
Jan 30 09:28:53 POWER sshd[12406]: Failed password for root from 190.24.10.11 port 50360 ssh2
Jan 30 09:28:56 POWER sshd[12406]: Connection closed by 190.24.10.11 [preauth]
Jan 30 09:28:56 POWER sshd[12406]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.24.10.11  user=root

Простите, если боян.

brute-force, openssh, patch, ssh

~~mr_doug~~
(30.01.13 18:33:48 MSK)

157 комментариев (стр. 2 3 4)

Мой XFCE

Галерея — Скриншоты

Вроде как закончил настраивать под себя крыску:

На панельке dockbarx с темой Gaia;
Полностью убраны рамки и заголовки окон;
ШГ - infinality-bundle;
WM - Xfwm4, который мне не нравится из-за некоторых мелочей (кривые иконки при табуляции и на родном аплете «кнопки окон»).

Остальная инфа и скрины тут

>>> Просмотр (1366x768, 1240 Kb)

arch, xfce

pyinto
(23.07.16 10:29:29 MSK)

59 комментариев (стр. 2)