Help with debug mode needed

Eric Wedaa Eric.Wedaa at
Thu May 21 10:24:05 AEST 2015


  I'm working on an ssh honeypot to analyze botnets, and I'm trying to find the chunk of code that specifies the following (like in Kippo)

TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] outgoing: aes128-ctr hmac-sha1 none
TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] incoming: aes128-ctr hmac-sha1 none

I was able to find the section in sshd.c where I can log the client name and port,
and the section in auth.c where the password is cleartext, but I have no idea what I'm really looking for for finding the protocols.

I honestly have no idea where I should really be looking.  If somebody can point me in the right direction (or send a code fragment) I'd really appreciate it.  I'll post a link back to the mailing list of where everyone else can find the completed code if I get some help.

(BTW: It's live already at and I've already found and/or analyzed 9 botnets.  Having better information on who's attacking will make it easier I hope to bunch them all together).

(And no, I'm not rising to the bait about tcpwrappers :-) It's decided and done.)


More information about the openssh-unix-dev mailing list