download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
We security folks are often blamed for treating our users (or customers, if you<br />
want) as less than competent. We generally expect users to consider what we<br />
say as information security gospel, but that doesnʼt happen very often.<br />
Many users have questions, and if we are<br />
lucky they may voice them. Personally, I have<br />
found that when I take the trouble to explain<br />
the reason behind my decree, people are<br />
more likely to comply. You can file that under<br />
the “user education” category, if you will.<br />
I have a small home server that I use and<br />
abuse for various purposes, and tracking the<br />
various trends and attempts of ssh bruteforcing<br />
has always been a source of endless<br />
amusement. But one day, the following questions<br />
sprung into my mind: "Could I actually<br />
use that information? Could I get something<br />
useful from it?"<br />
With that in mind, I set about working on starting<br />
logging the passwords. I will not go into<br />
the details now - suffice to say I wanted some-<br />
thing that was low maintenance, worked and<br />
did not require another server process or<br />
modifying the sshd code.<br />
I ended up using a custom pam module to log<br />
the source, the username and the password<br />
of each attempt, and I created honeypot users<br />
to monitor these attempts.<br />
Each bruteforce attempt creates a log entry<br />
that looks something like this:<br />
host = estpak.ee : username = shoutcast :<br />
password = shoutcast<br />
I let that setup run for a few months, specifically<br />
from December 2009 to July 2010. Letʼs<br />
see if the collected data can help us answer<br />
some questions.<br />
www.insecuremag.com 23