I am running a few Ubuntu installations connected to the Internet. As you may
know, once machine is connected to the Internet, it is subject to various
hacking attempts, both automatic and manual.
The most widespread attack vector for *nix machines is SSH brute-forcing. I
once became a victim of such attack
and now all my machines are using SSH public key authentication only. I was
curious what passwords the attackers were using so I came up with a simple
idea of password collection.
If you wanted to have it the quick way, using PAM storepw, then this is not going to
work that good, you will need to create a local account for every account
used to brute-force you. This can end up being a lot of work.
Alternatively you can patch OpenSSH to store the passwords in the log files.
Since I did not want to set up a new machine for the sole purpose of password
logging I decided to go an easier route.
Twisted is a python-based framework for programming network applications.
And it turns out that they have implemented a SSH protocol too.
So my starting point was the blog post by George Notaras about RapidSSH. I
only needed the passwords to be stored so I removed chunks of code that dealt
with keys and added the code that writes logins and passwords to a gdbm
Here's the code:
As you can see, the database is created in /home/rtg/ which is my home
directory, you will want to change the path.
The script itself runs on port 5022 and I redirected the access to 22 port on
the router to go to port 5022 and redirected the real SSH port on WAN. This way my
LAN machines are still able to access the regular SSH port.
The database is created but it is in a binary form, we need to make it
This outputs the whole database in a plaintext format, the usage is simply
# Updated: 2012-02-19T01:00:01.626648
# SSH creds for attack attempts on my server.
# If your password is listed here, CHANGE IT RIGHT NOW
# 16508 entries
This file is updated every day with the new entries of user:password that were
attempted on my fake SSH server. Feel free to use this list for any purpose
(e.g. compiling a cracklib dictionary).