24

What can be learned about a 'user' from a failed malicious SSH attempt?

  • User name entered (/var/log/secure)
  • Password entered (if configured, i.e. by using a PAM module)
  • Source IP address (/var/log/secure)

Are there any methods of extracting anything else? Whether it's info hidden in log files, random tricks or from 3rd party tools etc.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
Exbi
  • 373
  • 2
  • 6
  • You shouldn't enable PAM modules to log failed password attempts. Then you could trivially work out other people's passwords by looking at their failed login attempts (due to typos or whatever). – Muzer Mar 06 '17 at 16:49

3 Answers3

27

Well, an item that you haven’t mentioned is the fingerprints of the private keys they tried before entering a password. With openssh, if you set LogLevel VERBOSE in /etc/sshd_config, you get them in the log files. You can check them against the collection of public keys your users have authorized in their profiles, to see if they have been compromised. In the case that an attacker has got hold of a user’s private key and is looking for the login name, knowing that the key is compromised could prevent the intrusion. Admittedly, it’s rare: who owns a private key has probably found out the login name too...

Dario
  • 831
  • 8
  • 11
17

Going little bit further into the LogLevel DEBUG, you can also find out the client software/version in format

Client protocol version %d.%d; client software version %.100s

It will also print the key exchange, ciphers, MACs and compression methods available during the key exchange.

heemayl
  • 105
  • 1
  • 3
Jakuje
  • 9,145
  • 2
  • 40
  • 44
6

If the login attempts are very frequent or happen at all hours of the day, then you could suspect that the login is performed by a bot.

You might be able to deduce the user's habits from the time of day that they log in or other activity on the server, i.e. the logins are always N seconds after an Apache hit from the same IP address, or a POP3 request, or a git pull.

dotancohen
  • 2,410
  • 2
  • 24
  • 38