What can be learned about a 'user' from a failed malicious SSH attempt?
- User name entered (
/var/log/secure
) - Password entered (if configured, i.e. by using a PAM module)
- Source IP address (
/var/log/secure
)
Are there any methods of extracting anything else? Whether it's info hidden in log files, random tricks or from 3rd party tools etc.
Well, an item that you haven’t mentioned is the fingerprints of the private keys they tried before entering a password. With
openssh
, if you setLogLevel VERBOSE
in/etc/sshd_config
, you get them in the log files. You can check them against the collection of public keys your users have authorized in their profiles, to see if they have been compromised. In the case that an attacker has got hold of a user’s private key and is looking for the login name, knowing that the key is compromised could prevent the intrusion. Admittedly, it’s rare: who owns a private key has probably found out the login name too...Going little bit further into the
LogLevel DEBUG
, you can also find out the client software/version in formatIt will also print the key exchange, ciphers, MACs and compression methods available during the key exchange.
If the login attempts are very frequent or happen at all hours of the day, then you could suspect that the login is performed by a bot.
You might be able to deduce the user's habits from the time of day that they log in or other activity on the server, i.e. the logins are always N seconds after an Apache hit from the same IP address, or a POP3 request, or a git pull.