Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is an unusual request but I'm looking for a way to get SSH to take ANY password on some accounts and accept it to log in. No matter what the user types it is accepted.
Why you might ask? Because I'm going to have it run a shell script that will lock out their IP address. I get people trying to hack into my server all the time usually trying accounts that are never used for SSH. The idea is to block the IP of anyone who even tries to use these accounts on the first try. Also thinking about setting up a honeypot server to collect these IPs and send them to a block list on the main routers.
This is an unusual request but I'm looking for a way to get SSH to take ANY password on some accounts and accept it to log in. No matter what the user types it is accepted.
This would allow anyone to login to your computer, this is an extremely bad idea and is suicidal if you are connected to the internet.
Quote:
Why you might ask? Because I'm going to have it run a shell script that will lock out their IP address. I get people trying to hack into my server all the time usually trying accounts that are never used for SSH. The idea is to block the IP of anyone who even tries to use these accounts on the first try. Also thinking about setting up a honeypot server to collect these IPs and send them to a block list on the main routers.
You should read what I write before you reply. I'm not going to let them actually log in. The shell isn't a real shell. It runs a program that cuts them off immediately and blocks their IP address. That way they get cut off immediately instead of getting 10 minutes worth of guessing.
Its still an extremely bad idea to try to open up ssh to any kind of anonymous or blank-password logins. Its also totally unecessary in order to do what you're trying to do (you only need to look in the log files to pick out hack-attempts) and its not possible to configure sshd to allow logins for users who don't exist on the system anyway AFAIK.
My question was - how do I do this - not if I should do this. I'm looking for an answer to my question - not a lecture about your opinion of security. So - does anyone know how to do what I'm asking about?
Now you're the one not reading before you reply. I've already told you that you only need to look in the log files to get the information you need to make this work. I've also told you that what you're trying to do isn't possible with ssh - it only allows logins to specific accounts, there is no such thing as a catch-all login.
It seems like an excessive way to block sources, but you can get the info you need from your logfiles. It would be easier to completely block SSH then open the service for known sources.
I still don't agree with the methodology, but you could use a log monitor like swatch. You're better off with explicit allows so that you don't have to worry about connection attempts from unwanted locations. Do you have a issue that would prevent you from doing explicit allows?
Maybe instead of allowing them to type in anything you could try one of these 2 ideas.
1. Set up some obvious accounts like test, admin, or guest and use a password like "password" or "admin" or something to catch bad guys. I don't know how well that could work with your script though.
2. Maybe make a rule similar to "if you type the password wrong 3 times, you get locked out" only this would be "if you type your login OR password wrong once, you get SCRIPTED"
Since I don't know how ssh handles bad password attempts, depending on the OS sometimes you get 3 tries and others you get unlimited tries. Sorry couldn't help more.
Question: Would you design a physical security system (ie door lock) that opened with any key and then tried to prevent the person from entering after they unlocked it?
If something could be done similar to my #2, then it wouldn't be like that at all.
It would be more like, if you use the right key in the door, you get in. If you try to insert the wrong key, even just once, the lock disappears.
I think that what mperkel wants to do is not necessarily let people in, it's just that's the only way he can catch them in his script. I think what he wants to do is deny access to people who are trying to get in who shouldn't be, without letting them keep on trying and trying, like it does right now.
If I'm right, then what you want is not to let them in and THEN block their IP address. You want to block the IP if they fail X number of times (even once).
Like most of the responses in this thread try to say, and if you look at how available tools approach the problem you'll see they're not about introducing new risks.
- No unauthorised remote users should be able to connect to or interact with code on the server.
- Adding users to the system (with easily guessable passwords) is weakening the system by any standard.
- Besides that the available tools work so why try to introduce a vulnerability...
Use one of the tools around or reconsider using the sane approach of using auth/sys logs if you must write something yourself.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.