Suggestion: SSHD pseudo/fake mode. Source available.

This is a discussion on Suggestion: SSHD pseudo/fake mode. Source available. within the OpenSSH Development forums, part of the Networking and Network Related category; Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Suggestion: SSHD pseudo/fake mode. Source available.

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-24-2005
Daniel Kastenholz
 
Posts: n/a
Default Suggestion: SSHD pseudo/fake mode. Source available.
Hi,

SSH brute force attacks seem to enjoy increasing popularity. Call me an
optimist or a misrouted kind of contributer to the community, but on our
company server I actually go through the logs and report extreme cases
to the providers of the originating IP's. With the increasing number of
these attacks, however, I have now decided that it's better to move the
SSHd to a different port. The downside is: it was actually fun to report
a failed brute force attack from time to time!

Alright, I know, there are IDS's available, and scanners, etc., etc.,
.... but one benefit of having a real daemon on port 22 is that it keeps
the intruder busy and produces evidence through failed login attempts
and usernames in the logfiles. So I thought it might be sensible to
build a and run a fake server running on port 22 that behaves
essentially like an original SSH daemon (key exchange, password request,
...) but strictly denies every attempt to login, even if the password
turns out to be right.

I don't know if anyone else would find such a feature useful. But I
learned that it's just a few lines of additional code. I've run this
against release 3-9.p1 of OpenSSH.

In short, here's what I did:
- added a new command line flag "-T" for trap to trigger the internal
"trap_mode" flag
- added a "trap" flag to the "authctxt" type that is set according to
"trap_mode" when a new context is created
- extended the conditionals in auth1.c etc. to circumvent
"authenticated"=1 when "authctxt->trap==1", even if the authentication
itself was successul.

Little effort for a trap that's almost impossible to identify as such.
If there's any interest in this solution, I would willingly provide a
patch file! Tiny little problem: I've never contributed to an open
source project before and don't know how to create this patch file
thing. Is that just the output of a "diff"? If someone tells me or could
point me to a short (!) tutorial, it's all yours.

And if you don't like having such an option in your sshd, well, no one
forces you to use it. But somebody else might be happy to have it.

Regards


Daniel

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:10 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0