Tuesday, October 30, 2007

OpenSSH Brute Password Capture Patch

Today I took was dealing with one of the countless ssh brute force grinders running wild out there on the net. I was thinking that it would be cool if I could capture all the username/password combinations they were supplying. During a search I ran across this nifty little patch. I downloaded and attempted to use it, but could not get the patch to apply. After a bit of investigation, I determined that this patch was written for the OpenBSD-specific version of OpenSSH and would not work on OpenSSH Portable. Since I wanted to use this on my Linux box, I had modify the patch to get it work.

The next thing I discovered, is that I really didn't like the logging format... The logs record Epoch time, username, password, and IP address... However, these are spread across 4 separate lines. So, a sample entry looks something like this:

1193780392
root
test
10.0.6.147


Not very easy to parse. Since I was interested in using the data for other things, I also decided to modify the logging as well. The format is still all the same fields, but now in a colon-delimited format, with one attempt per line. It now looks something like this:

1193780828:root:test2:10.0.6.147
1193788608:test:test:127.0.0.1


I've placed the patch on my Google code site for now. Its not very clean, but appears to work with the portable version of openssh for Linux. I tested it on version 4.7p1 on CentOS.

I'll attempt to clean it up and refine it later.

Labels: , ,

3 Comments:

Anonymous Anonymous said...

Very cool, thanks. I've been looking all over for a patch that would enable this kind of logging!

Tuesday, May 27, 2008 2:27:00 AM  
Anonymous Anonymous said...

Didn't use it, but thanks.
You should say that it won't work if you're using PAM for authentication, though.

Tuesday, May 27, 2008 1:44:00 PM  
Anonymous Anonymous said...

Awesome! I've been looking for a while for a patch that would do this. I followed your comment on unixcluster's site and it works great. I'm using Ubuntu Hardy Server with openssh-5.0p1. Thanks! :-D

Sunday, June 29, 2008 11:05:00 AM  

Post a Comment

Links to this post:

Create a Link

<< Home