[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Logging passwords of SSH attacks



On Fri, Jan 16, 2009 at 06:03:52PM +0200, Dotan Cohen wrote:
> 2009/1/16 Jeff Soules <soules@gmail.com>:
> >> While in general I agree, in this case you could say that I am sitting
> >> here as a honeypot. No legitimate users will try connecting via SSH on
> >> port 22, and certainly not over the big bad internet. The only reason
> >> that I have sshd running here is for another machine on the LAN to ssh
> >> in on a different port.
> >
> > That would seem to reduce the difficulties associates with logging
> > random users' passwords.  However, that makes me wonder what the point
> > is -- are you just curious as to how random crackers start their
> > dictionary attacks?
> >
> 
> Yes.
> 
> > Besides, if you're only SSHing on the lan, you might be better off
> > from a security standpoint by just dropping foreign-IP packets to 22
> > and whatever SSH port you actually use.  If there is no legitimate
> > traffic, why even give attackers a login prompt?
> >
> 
> Just to see what they are doing.


why not mix the to, use fail2ban to instead of dropping the packets
sending the packets to a honeypot sshd and then log the passwords

> 
> -- 
> Dotan Cohen
> 
> http://what-is-what.com
> http://gibberish.co.il
> 
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
> ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه‍-و-ي
> А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я
> а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
> ä-ö-ü-ß-Ä-Ö-Ü

-- 
"We've tripled the amount of money -- I believe it's from $50 million up to $195 million available."

	- George W. Bush
03/23/2002
Lima, Peru

Attachment: signature.asc
Description: Digital signature


Reply to: