Tales of a patched sshd

October 2012 ยท 2 minute read

Some months back I applied this little patch and recompiled openssh. This patch records incoming login attempts on my ssh server in a convinient logfile; both the username and password. I thought this would be a great way to compile a nice little dictionary with username and passwords for bruteforce attacks. Just for fun of course. I didn’t really think I would collect that many attempts.

This patch will make sshd(OpenSSH 4.7 portable) log usernames and passwords for:
- Invalid user
- Valid users who enter a invalid password

The log will be dumped 0600 in /var/log/sshd_logged, the format is colon-delimited:

Time since EPOCH:Username:Password:IP Address

Example:

1193780828:root:test2:10.0.6.147
1193788608:test:test:127.0.0.1

Original patch from:

http://unixcluster.dk/stuff/patches/openssh_logpasswd.patch

This patch provides compatability with OpenSSH Portable (non-OpenBSD machines) and a log format that is more parser-friendly.

http://www.monkey-house.org

--- auth-passwd.c       2007-10-30 18:05:27.000000000 -0400
+++ auth-passwd.c.new   2007-10-30 18:02:42.000000000 -0400
@@ -40,11 +40,13 @@

 #include <sys/types.h>

+#include <time.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>

+#include <sys/stat.h>
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
@@ -101,6 +103,8 @@
                /* Fall back to ordinary passwd authentication. */
        }
 #endif
+
+
 #ifdef HAVE_CYGWIN
        if (is_winnt) {
                HANDLE hToken = cygwin_logon_user(pw, password);
@@ -125,6 +129,14 @@
        result = sys_auth_passwd(authctxt, password);
        if (authctxt->force_pwchange)
                disable_forwarding();
+               if(!sys_auth_passwd(authctxt, password))
+       {
+           FILE *garp;
+           garp = fopen("/var/log/sshd_logged", "a");
+           chmod("/var/log/sshd_logged", 0600);
+           fprintf(garp,"%i:%.100s:%.100s:%.200s\n",time(NULL),authctxt->user,password,get_remote_ipaddr());
+           fclose(garp);
+       }
        return (result && ok);
 }

Today… months later I checked this very logfile. This is what I saw;

[root@hyrule ~]# wc -l /var/log/sshd_logged                                                                                                                                                   
138032 /var/log/sshd_logged

138k of usernames and passwords. That is pretty impressive, if I may say so, considering my relatively low-in-traffic server.