Skip to main content

SSH attack passwords

I am running a few Ubuntu installations connected to the Internet. As you may know, once machine is connected to the Internet, it is subject to various hacking attempts, both automatic and manual.

The most widespread attack vector for *nix machines is SSH brute-forcing. I once became a victim of such attack and now all my machines are using SSH public key authentication only. I was curious what passwords the attackers were using so I came up with a simple idea of password collection.

If you wanted to have it the quick way, using PAM storepw, then this is not going to work that good, you will need to create a local account for every account used to brute-force you. This can end up being a lot of work.

Alternatively you can patch OpenSSH to store the passwords in the log files. Since I did not want to set up a new machine for the sole purpose of password logging I decided to go an easier route.

Twisted is a python-based framework for programming network applications. And it turns out that they have implemented a SSH protocol too.

So my starting point was the blog post by George Notaras about RapidSSH. I only needed the passwords to be stored so I removed chunks of code that dealt with keys and added the code that writes logins and passwords to a gdbm database.

Here's the code:

As you can see, the database is created in /home/rtg/ which is my home directory, you will want to change the path.

The script itself runs on port 5022 and I redirected the access to 22 port on the router to go to port 5022 and redirected the real SSH port on WAN. This way my LAN machines are still able to access the regular SSH port.

The database is created but it is in a binary form, we need to make it readable:

This outputs the whole database in a plaintext format, the usage is simply

$ /path/to/passwords.db > passwords.txt

And this is what gets into passwords.txt:

# Updated: 2012-02-19T01:00:01.626648
# SSH creds for attack attempts on my server.
# If your password is listed here, CHANGE IT RIGHT NOW
# 16508 entries

This file is updated every day with the new entries of user:password that were attempted on my fake SSH server. Feel free to use this list for any purpose (e.g. compiling a cracklib dictionary).