Bug#314645: ssh password mappings result

To: Justin Pryzby <justinpryzby@users.sourceforge.net>
Cc: 314645-quiet@bugs.debian.org
Subject: Bug#314645: ssh password mappings result
From: Greg Webster <greg@intouch.ca>
Date: Tue, 21 Jun 2005 09:10:20 -0700
Message-id: <[🔎] 1119370220.3208.83.camel@sundance>
Reply-to: Greg Webster <greg@intouch.ca>, 314645-quiet@bugs.debian.org
In-reply-to: <[🔎] 20050621155820.GB28781@andromeda>
References: <[🔎] 20050621031544.GA17776@cane> <[🔎] 1119330918.16383.1.camel@localhost.localdomain> <[🔎] 20050621155820.GB28781@andromeda>

Completely agreed....I don't want to know the passwords. What I'd like
to see is, over the long term, are these scans making more attempts at
non-system, first-name valid accounts that do exist than random chance
should allow, and a clear indication that more attempts at valid
accounts are made than for non-valid accounts. Once that's sorted out,
we can decide if we really have a problem.

Perhaps a small script as part of the prerotate section of logrotate of
auth.log would do it...something like:

prerotate
	grep 'Failed password' auth.log|awk '{print $9}' >> /tmp/sshscan.log
endscript

(with no rotation of /tmp/sshscan.log happening) ($9 may be different on
some machines)

Leaving that in place for a few weeks on an oft-scanned system should
give us a list of accounts that have been attempted...then all that
needs to happen is a 'uniq -c' of /tmp/sshscan.log and then determining
whether the non-system accounts most often hit are valid or not.

If that makes sense to you (seeking input here...there may be a flaw I'm
not seeing), I'll put it in place.

Cheers,

Greg

On Tue, 2005-06-21 at 11:58 -0400, Justin Pryzby wrote:
> Sure, but what do you plan to do with the data?  Rather, how do you
> plan to analyze it?  It seems to me that this could be done without
> knowing what passwords are tried.
> 
> The data lined up pretty well last night, when I discovered the first
> ssh scan; I had to remove some blank lines from /etc/ssh-log (probably
> from my own testing), remove my own password from the bottom (I was
> scp'ing files from the machine), and remove some other cruft I had
> left behind (from testing that password authentication is forced).
> 
> But it will probably not line up nearly as well once, for example,
> auth.log gets rotated, or I log in from an uncommon machine which
> doesn't have RSA access, and I mistype my password.
> 
> > > Justin
> 
> On Mon, Jun 20, 2005 at 10:15:18PM -0700, Greg Webster wrote:
> > Hi Justin,
> > 
> > Part of what I'd like to (dis)prove is that they are making a 'second
> > run' from this or another machine to hit that accounts that it believes
> > are valid...any chance you could keep your testing up for a while?
> > 
> > On Mon, 2005-20-06 at 23:15 -0400, Justin Pryzby wrote:
> > > Included is a list of usernames and corresponding passwords used in an
> > > ssh scan I observed.  It indicates to me that it is trying
> > > statistically common (aka dumb) passwords on common usernames; I see
> > > no evidence of an attempt to measure timings to discover valid
> > > accounts.
> > > 
> > > Starred accounts are invalid users.
-- 
Greg Webster  -  System Administrator
-------------------------------------
intouch.ca gastips.com epredictor.net

Reply to:

Follow-Ups:
- Bug#314645: ssh password mappings result
  - From: Justin Pryzby <justinpryzby@users.sourceforge.net>

References:
- Bug#314645: ssh password mappings result
  - From: Justin Pryzby <justinpryzby@users.sf.net>
- Bug#314645: ssh password mappings result
  - From: Greg Webster <greg@intouch.ca>
- Bug#314645: ssh password mappings result
  - From: Justin Pryzby <justinpryzby@users.sourceforge.net>

Prev by Date: Bug#314645: ssh password mappings result
Next by Date: Bug#314645: ssh password mappings result
Previous by thread: Bug#314645: ssh password mappings result
Next by thread: Bug#314645: ssh password mappings result
Index(es):
- Date
- Thread