Re: Logging passwords of SSH attacks
On Fri, Jan 16, 2009 at 02:25:35PM +0100, Florian Mickler wrote:
> On Thu, 15 Jan 2009 20:10:44 +0200
> "Dotan Cohen" <dotancohen@gmail.com> wrote:
>
> > I get a few thousands of these every day in the logs:
> > Illegal users from:
> > 70.85.222.106 (sales.gbdweb.com): 518 times
> > anna/password: 1 time
> > apache/password: 1 time
> > arthur/password: 1 time
> > attack/password: 1 time
> > awharton/password: 1 time
> >
> > How can I start logging the passwords attempted as well as the
> > usernames? Thanks.
> >
> That's not possible without hacking in the ssh-sourcecodes, I assume.
Or alternatively the pam module that is used. Openssh here checks
passwords using PAM.
>
> It would be a security nightmare to have the passwords of users being
> logged. even if it would only be on failed attempts.
And even then it owuld give some interesting clues, as it would also log
real passwords with typos.
> people
> often confuse which password they have to enter where, and thus valid
> passwords would wander into the logs for malicous people to collect and
> use at other sites.
auth.log is only readable to sysadmins.
--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend
Reply to: