Record Failed Passwords

Mon Aug 2 22:45:22 EST 2010

Alan Neville wrote: 
>> Hi OpenSSH'ers, 
>> 
>> I am emailing you to ask is it possible to record failed passwords 
>> attempts and log them to syslog? Are there patches available for this? 
>> Has anyone managed to do this before? Are there alternitive methods? 
>> 
>> Many Thanks, 
>> 
>> A 
>> 

>Hi Alan, 
>
>use a pam module and put it in common-auth 
>
>auth sufficient pam_unix.so nullok_secure 
>auth required pam_log_pw.so 
>auth requisite pam_deny.so 
>
>Use something like (untestet) 
>
>
>---- begin pam_log_pw.c ----------- 
>#define PAM_SM_AUTHENTICATE 
>#include <security/pam_modules.h> 
>
>extern int pam_sm_authenticate(pam_handle_t *pamh, 
>int flags, int argc, const char ** argv) { 
>const char *user, *pass, *rhost, *ruser; 
>pam_get_item(pamh, PAM_USER, (const void **) &user); 
>pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); 
>pam_get_item(pamh, PAM_RHOST, (const void **) &rhost); 
>pam_get_item(pamh, PAM_RUSER, (const void **) &ruser); 
>
>/* do your logging stuff here*/ 
>return PAM_AUTH_ERR; 
>} 
>----- end ---- 
>
>compile using something like: 
>
>gcc -O2 -fPIC -Wall -pedantic -shared -lpam -o pam_log_pw.so \ 
>pam_log_pw.c 
>
>Best regards, 
>
>Christian 
>
>
>_______________________________________________ 
>openssh-unix-dev mailing list 
>openssh-unix-dev [at] mindrot 
>https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev 
>
>-- 
>Firma: Siemens Aktiengesellschaft Österreich 
>Rechtsform: Aktiengesellschaft 
>Firmensitz: Wien, Firmenbuchnummer: FN 60562 m 
>Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708 
>
>_______________________________________________ 
>openssh-unix-dev mailing list 
>openssh-unix-dev [at] mindrot 
>https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev 

Hello Fellow SSHers:

I hope I am emailing this correctly. I implemented the shared object above...works pretty nice except AUTHTOK only takes the value of the passwords for legitimate users, is there a way to get the failed passwords for all users. I too am a graduate student, except at St. Cloud State University, looking at Brute-Force SSH attacks. I would also be using this as a honeypot on a non-production public IP address. Therefore, the illegitimate usernames/passwords would be of the most value.

Here is the shared object code from Christian as I modified it....

/*---- begin pam_log_pw.c -----------*/
#define PAM_SM_AUTHENTICATE
#include <security/pam_modules.h>
#include <stdio.h>
extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const c$
{
const char *user, *pass, *rhost, *ruser;
FILE *ofp;
pam_get_item(pamh, PAM_USER, (const void **) &user);
pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);
pam_get_item(pamh, PAM_RHOST, (const void **) &rhost);
pam_get_item(pamh, PAM_RUSER, (const void **) &ruser);
/* do your logging stuff here*/
ofp = fopen("/var/log/passwd.log","a");
fprintf(ofp,pass);
fclose(ofp);
return PAM_AUTH_ERR;
}
/*----- end ----*/    

Please let me know if there is a way to store illegitimate usernames/passwords using a PAM module?

Thank you for your time and code!
-Dustin Rogers
Student Network Admin
Computer Network Research Center, SCSU