[rescue] SSH functionality ::WAS::::::::Re: Sun V240

Jerry Kemp sun.mail.list47 at oryx.us
Wed Nov 1 15:06:43 CDT 2017 

Hello David,

Thank you for the post.  I haven't looked at these directly, but I'm assuming 
that since you suggested them, that they work well, both with Solaris or 
Solaris-distro's, and work with OpenSSH.

Several years back, I explored quite a few of these SSH blocking/firewalling 
utilities.  My discovery, at the time, was that the vast majority of the ones I 
reviewed were written to interact only with the proprietary lunix built in 
firewall application.

Regarding the "match" functionality in current OpenSSH releases, I seem to 
recall looking at that, and not pursuing that further.  Can't remember as to why.

One of the things I liked about the denyhost application, was that it would both 
add entries to the /etc/hosts.deny file, which was very useful for when being 
hit by a dictionary attack very rapidly, but, also, I can set a timeout which 
would remove entries.  Helpful if you make multiple bad attempts and get 
yourself blocked from your own box.

Lionel,

Regarding observing remote root login attempts, regardless of root being 
disabled, it is just the fact they are occurring.  I would speculate that if you 
have just stuck your box out on the Internet, the (ssh) login attempts are 
probably low at the present.  I have a (Solaris) box that is in a COLO for more 
than a decade (upgraded several times), and I am just continually being hit by 
random & continual ssh remote login attempts.

Although I mostly use ssh keys, and not passwds, I'm a big believer in the Bob 
Beck method of managing administrative accounts.

<https://web.archive.org/web/20160310190935/http://archives.neohapsis.com/archives/openbsd/2005-03/2878.html>

My big concern is that, due to numbers of hits, that properly managing and 
addressing events that do end up logged.  I already mentioned that I use 
denyhost to limit dictionary attacks that hit hard and heavy.   It didn't take 
long to start wondering what credentials the script kiddies were using to 
attempt to log into my system.

To address that, I am using a utility called 'kippo'.  Here is some sample log 
output, and you can see that frequently, passwds are simple, although sometimes 
they can be long and complex.  Big fan of kippo.

.................................................
2017-11-01 15:00:02-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:02-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/admin] failed
2017-11-01 15:00:03-0500 [-] mother failed auth password
2017-11-01 15:00:03-0500 [-] unauthorized login:
2017-11-01 15:00:03-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:03-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/root] failed
2017-11-01 15:00:04-0500 [-] mother failed auth password
2017-11-01 15:00:04-0500 [-] unauthorized login:
2017-11-01 15:00:05-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:05-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/ubnt] failed
2017-11-01 15:00:06-0500 [-] mother failed auth password
2017-11-01 15:00:06-0500 [-] unauthorized login:
2017-11-01 15:00:06-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:06-0500 [SSHService ssh-userauth on 
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/user] failed
2017-11-01 15:00:07-0500 [-] mother failed auth password
2017-11-01 15:00:07-0500 [-] unauthorized login:
2017-11-01 15:00:07-0500 [HoneyPotTransport,70340,198.98.60.52] connection lost
.................................................

as I log and archive this stuff, I have literally thousands of passwd's to play 
with, for use in other security tool explorations.

enjoy,

Jerry




On 11/ 1/17 11:33 AM, David Brownlee wrote:

>
> I'm sure all the cool kids are using something like
> https://www.sshguard.net/ or blacklistd
> https://www.youtube.com/watch?v=fuuf8G28mjs anyway :)
>
> The rationale for dropping tcpwrappers was that it was a subset of
> OpenSSH's built in Match functionality, and dropped a dependency
> http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
> - I think someone even submitted a small patch back to trigger
> tcpwrappers from Match.
>
> and thankfully there are also other ssh client implementations which
> support sshv1 or similar to connect to older boxes :)
>
> David

More information about the rescue mailing list