08.01.07

Watching /var/log/auth.d

Posted in IT at 8:48 pm by Tyler Reguly

Recently I revamped my network, the wireless AP moved to the back of the network, eliminating an unnecessarily hop for my wired machines. It also put my primary wired network directly off the primary NAT router, instead of daisy chaining it through two NAT devices. This gives me a bit more freedom, so I decided to put my shell box online, so I can access it remotely.

The other day, I was looking through some logs and I noticed that /var/log/auth.d (authentication related logging such as console logins and ssh) was quite large. There were pages upon pages of logs similar to this:

Jul 30 09:47:00 localhost sshd[20675]: Failed password for invalid user shell from 24.190.183.178 port 33839 ssh2
Jul 30 09:47:02 localhost sshd[20677]: Failed password for invalid user server from 24.190.183.178 port 34325 ssh2
Jul 30 09:47:05 localhost sshd[20679]: Failed password for invalid user server from 24.190.183.178 port 34412 ssh2
Jul 30 09:47:07 localhost sshd[20681]: Failed password for invalid user server from 24.190.183.178 port 34886 ssh2
Jul 30 09:47:10 localhost sshd[20683]: Failed password for backup from 24.190.183.178 port 34971 ssh2
Jul 30 09:47:12 localhost sshd[20685]: Failed password for backup from 24.190.183.178 port 35447 ssh2
Jul 30 09:47:15 localhost sshd[20687]: Failed password for invalid user oracle from 24.190.183.178 port 35528 ssh2
Jul 30 09:47:17 localhost sshd[20689]: Failed password for invalid user oracle from 24.190.183.178 port 36003 ssh2
Jul 30 09:47:20 localhost sshd[20691]: Failed password for invalid user oracle from 24.190.183.178 port 36464 ssh2
Jul 30 09:47:22 localhost sshd[20693]: Failed password for mail from 24.190.183.178 port 36549 ssh2
Jul 30 09:47:24 localhost sshd[20695]: Failed password for mail from 24.190.183.178 port 37019 ssh2
Jul 30 09:47:27 localhost sshd[20697]: Failed password for mail from 24.190.183.178 port 37107 ssh2
Jul 30 09:47:29 localhost sshd[20699]: Failed password for mail from 24.190.183.178 port 37197 ssh2

Should I mask that IP... maybe but I'm not to happy with them auditing my system. Anyways... I'm a little curious... I'd like to know what passwords they are trying and I'm curious about the client version string that's offered... I doubt it will be "SSH-2.0-PuTTY_Release_0.60".

Since I'm lazy with this server and I've installed everything through apt, I had to go and grab the latest OpenSSH sources (The latest being 4.6p1). Now... let's log passwords and client version strings.

First logging passwords passed to sshd in plaintext. Remember that this is a security risk and you shouldn't do this on production machines, it should only be done for testing and lab purposes. Now that I've said that, open the file: auth-passwd.c

Around line 80 you should see:

int
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;

Place 'logit("Password: %s",password);' above struct passwd. My function looks like this:

auth_password(Authctxt *authctxt, const char *password)
{
logit("Password: %s",password); /* Password Logging added by HT */
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;

Now let's do some client version logging. For this open the file sshd.c and look at line 454. You should see:

buf[sizeof(buf) - 1] = 0;
client_version_string = xstrdup(buf);

Add the line "logit("Client Version String: %s", client_version_string);" below the client version string line, so that you have something like:

buf[sizeof(buf) - 1] = 0;
client_version_string = xstrdup(buf);
logit("Client Version String: %s", client_version_string); /* Client Version Logging added by HT */

You can save your changes and you're all done. Now, in your log files, you'll see:

Aug 1 20:39:40 localhost sshd[18426]: Client Version String: SSH-2.0-PuTTY_Release_0.60
Aug 1 20:39:45 localhost sshd[18426]: Invalid user hack from 192.168.1.101
Aug 1 20:39:45 localhost sshd[18426]: Excess permission or bad ownership on file /var/log/btmp
Aug 1 20:39:45 localhost sshd[18426]: Password:
Aug 1 20:39:45 localhost sshd[18426]: Failed none for invalid user hack from 192.168.1.101 port 56233 ssh2
Aug 1 20:39:48 localhost sshd[18426]: Password: l33thax0r

Pay close attention to my upcoming blog posts as I plan to study the passwords and usernames that I receive, along with the client_version_string. Enjoy watching people provide passwords!

Permalink