SSH logs as a Honeypot

You can use your logs as a "poor mans" honey pot.

Review your logs and modify the following awk command to suit your needs. The exact syntax will vary depending on your authentication (passwords or keys) and server.

Debian:

awk 'gsub(".*sshd.*Invalid.*user", "") {print $1}' /var/log/auth.* | sort | uniq

Fedora:

awk 'gsub(".*sshd.*userauth.*user", "") {print $1}' /var/log/secure* | sort | uniq

If you are not familiar with awk, gsub is matching and substituting part of your log so that {print $1} is a user name. See an online awk guide for details.

A sample line from Debian log file is:

Jul 26 19:45:32 Debian sshd[18302]: Invalid user oracle from 211.137.134.74

A sample line from a Fedora log file is:

Jul 27 15:34:43 Fedora sshd[7546]: input_userauth_request: invalid user root

I cross-compiled a list of the users my ssh logs have seen over the last year or so …

23-164-111-65
admin
alias
ant
anthony
bin
bureau
cote
david
db2inst1
fluffy
guest
httpd
jasmin
laura
nagios
office
oracle
pc
postgres
prueba
recruit
root
sales
samba
staff
teamspeak
test
ts
webmaster
wwwadmin

Now obviously some of these names are going to be unique, but, the list should give you an idea of what users to block. Add one of the options below to /etc/ssh/sshd_config and re-start (or reload) your (ssh) server.

Black list

Blacklist common user names used by “script kiddies”

DenyUsers admin guest http httpd nagios office oracle postgres root sales samba staff webmaster wwwadmin

White list

Of course an easier method is it use a white list. If you white list allowed users, users not on the list are by definition black listed (if a user is not on your white list they can not log in via ssh).

AllowUsers user_1 user_2

Just make sure none of the allowed user is on the above black list and be sure to monitor your logs ;)

Black list ip addresses

If you examine that awk command I used above, and you look at your logs, you can generate a list of ip addresses to black list if you desire. IMO this is not as helpful as it is rather trivial to change an ip address, and the list ip list becomes long …

Alternates

Obviously you can use other tools to secure ssh such as ssh keys, TCPWrapper , denyhosts, and fail2ban.

This entry was posted in Linux and tagged , . Bookmark the permalink.

5 Responses to SSH logs as a Honeypot

  1. Scott says:

    You could also do, if you log rotate and compress (for the gzipped files):


    zcat auth.log*.gz | awk 'gsub (".*sshd.*Invalid.*user", "") {print $1}' | sort | uniq

  2. legribou says:

    Hi,

    I use this simple iptables rules for ssh. Maybe not so good as fail2ban but easier to deploy

    -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
    -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60
    –hitcount 5 –rttl –name SSH -j ULOG –ulog-prefix SSH_brute_force
    -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60
    –hitcount 5 –rttl –name SSH -j DROP

    -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT

    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

    5 attemps ssh connection / min , and block a min if fail.
    Drop most of the ssh scan

    Ghislain

  3. bodhi.zazen says:

    @legribou Aye, I use a similar set of rules, thank you for posting yours. You may need to be a bit more liberal if you use scp.

  4. bodhi.zazen says:

    @Scott Thank you for taking the time to leave that tip as well.

  5. Scott says:

    Absolutely, I forgot to add to the first comment, but great post!

Leave a Reply

Your email address will not be published. Required fields are marked *