LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-30-2005, 08:27 PM   #1
mperkel
LQ Newbie
 
Registered: Oct 2005
Posts: 15

Rep: Reputation: 0
Allowing SSH to accepts ANY Password


This is an unusual request but I'm looking for a way to get SSH to take ANY password on some accounts and accept it to log in. No matter what the user types it is accepted.

Why you might ask? Because I'm going to have it run a shell script that will lock out their IP address. I get people trying to hack into my server all the time usually trying accounts that are never used for SSH. The idea is to block the IP of anyone who even tries to use these accounts on the first try. Also thinking about setting up a honeypot server to collect these IPs and send them to a block list on the main routers.

So - can I do this?
 
Old 10-30-2005, 10:18 PM   #2
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 49
Quote:
This is an unusual request but I'm looking for a way to get SSH to take ANY password on some accounts and accept it to log in. No matter what the user types it is accepted.
This would allow anyone to login to your computer, this is an extremely bad idea and is suicidal if you are connected to the internet.

Quote:
Why you might ask? Because I'm going to have it run a shell script that will lock out their IP address. I get people trying to hack into my server all the time usually trying accounts that are never used for SSH. The idea is to block the IP of anyone who even tries to use these accounts on the first try. Also thinking about setting up a honeypot server to collect these IPs and send them to a block list on the main routers.
See this: http://denyhosts.sourceforge.net/ and forget about what you were saying above about letting anyone login to your computer
 
Old 10-30-2005, 10:24 PM   #3
mperkel
LQ Newbie
 
Registered: Oct 2005
Posts: 15

Original Poster
Rep: Reputation: 0
You should read what I write before you reply. I'm not going to let them actually log in. The shell isn't a real shell. It runs a program that cuts them off immediately and blocks their IP address. That way they get cut off immediately instead of getting 10 minutes worth of guessing.
 
Old 10-30-2005, 11:06 PM   #4
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 49
Its still an extremely bad idea to try to open up ssh to any kind of anonymous or blank-password logins. Its also totally unecessary in order to do what you're trying to do (you only need to look in the log files to pick out hack-attempts) and its not possible to configure sshd to allow logins for users who don't exist on the system anyway AFAIK.
 
Old 10-30-2005, 11:14 PM   #5
mperkel
LQ Newbie
 
Registered: Oct 2005
Posts: 15

Original Poster
Rep: Reputation: 0
My question was - how do I do this - not if I should do this. I'm looking for an answer to my question - not a lecture about your opinion of security. So - does anyone know how to do what I'm asking about?
 
Old 10-30-2005, 11:37 PM   #6
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 49
Now you're the one not reading before you reply. I've already told you that you only need to look in the log files to get the information you need to make this work. I've also told you that what you're trying to do isn't possible with ssh - it only allows logins to specific accounts, there is no such thing as a catch-all login.
 
Old 10-31-2005, 12:00 PM   #7
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Re: Allowing SSH to accepts ANY Password

Quote:
Originally posted by mperkel
So - can I do this?
It seems like an excessive way to block sources, but you can get the info you need from your logfiles. It would be easier to completely block SSH then open the service for known sources.
 
Old 10-31-2005, 12:11 PM   #8
mperkel
LQ Newbie
 
Registered: Oct 2005
Posts: 15

Original Poster
Rep: Reputation: 0
By the time I check the log files several attemts are already made. I want to kill them instantly on the first attempt.
 
Old 10-31-2005, 01:09 PM   #9
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
I still don't agree with the methodology, but you could use a log monitor like swatch. You're better off with explicit allows so that you don't have to worry about connection attempts from unwanted locations. Do you have a issue that would prevent you from doing explicit allows?
 
Old 11-01-2005, 10:32 AM   #10
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 524

Rep: Reputation: 30
Maybe instead of allowing them to type in anything you could try one of these 2 ideas.

1. Set up some obvious accounts like test, admin, or guest and use a password like "password" or "admin" or something to catch bad guys. I don't know how well that could work with your script though.

2. Maybe make a rule similar to "if you type the password wrong 3 times, you get locked out" only this would be "if you type your login OR password wrong once, you get SCRIPTED"

Since I don't know how ssh handles bad password attempts, depending on the OS sometimes you get 3 tries and others you get unlimited tries. Sorry couldn't help more.
 
Old 11-01-2005, 10:39 AM   #11
mperkel
LQ Newbie
 
Registered: Oct 2005
Posts: 15

Original Poster
Rep: Reputation: 0
Avatar - that's a good suggestion. I think I'll do that until I come up with a better solution.
 
Old 11-01-2005, 11:21 AM   #12
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Question: Would you design a physical security system (ie door lock) that opened with any key and then tried to prevent the person from entering after they unlocked it?
 
Old 11-01-2005, 11:30 AM   #13
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 524

Rep: Reputation: 30
If something could be done similar to my #2, then it wouldn't be like that at all.

It would be more like, if you use the right key in the door, you get in. If you try to insert the wrong key, even just once, the lock disappears.

I think that what mperkel wants to do is not necessarily let people in, it's just that's the only way he can catch them in his script. I think what he wants to do is deny access to people who are trying to get in who shouldn't be, without letting them keep on trying and trying, like it does right now.
 
Old 11-01-2005, 11:42 AM   #14
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 524

Rep: Reputation: 30
If I'm right, then what you want is not to let them in and THEN block their IP address. You want to block the IP if they fail X number of times (even once).

Here is a thread that I think has what you are looking for. Read the post # 35 (about 4th from the bottom).
http://www.linuxquestions.org/questi...5&pagenumber=3

This guy has a link to a script that does what you want, but BEFORE the user logs in, not after. It's called authfail.

Hope this helps.
 
Old 11-01-2005, 11:42 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Whatever it is it aint good enough.

Like most of the responses in this thread try to say, and if you look at how available tools approach the problem you'll see they're not about introducing new risks.
- No unauthorised remote users should be able to connect to or interact with code on the server.
- Adding users to the system (with easily guessable passwords) is weakening the system by any standard.
- Besides that the available tools work so why try to introduce a vulnerability...

Use one of the tools around or reconsider using the sane approach of using auth/sys logs if you must write something yourself.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Allowing SSH Safe? Optimistic Linux - Security 10 03-21-2005 01:58 PM
SSH to my Fedora Core 2 box - Allowing just one IP!!! jpierre70 Linux - Security 4 07-30-2004 12:06 PM
Allowing ssh ftp through the firewall jmg1894 Linux - Newbie 5 07-08-2004 02:42 PM
Apache server allowing ssh codefather Linux - Software 8 06-26-2003 01:50 PM
Allowing for incoming ssh InsaneBob Linux - Software 11 04-12-2003 01:44 PM


All times are GMT -5. The time now is 11:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration