Possible to see actual password's used?

tarken · 08-12-2014, 10:51 AM

I don't think this is possible, but maybe it is. Is it possible to see what passwords these Chinese "hackers" are trying to use to get into my system via SSH? All I am getting is:

A

Code:

ug 12 05:08:58 localhost sshd[4721]: Failed password for root from 61.174.51.213 port 8112 ssh2
Aug 12 05:08:58 localhost sshd[4729]: Failed password for invalid user admin from 61.174.51.213 port 10025 ssh2
Aug 12 05:08:58 localhost unix_chkpwd[4751]: password check failed for user (root)
Aug 12 05:08:58 localhost sshd[4697]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 05:08:58 localhost unix_chkpwd[4750]: password check failed for user (root)
Aug 12 05:08:58 localhost sshd[4721]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 05:08:58 localhost sshd[4710]: Failed password for root from 61.174.51.213 port 5195 ssh2
Aug 12 05:08:58 localhost sshd[4710]: Disconnecting: Too many authentication failures for root [preauth]
Aug 12 05:08:58 localhost sshd[4710]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.213  user=root
Aug 12 05:08:58 localhost sshd[4710]: PAM service(sshd) ignoring max retries; 6 > 3
Aug 12 05:08:58 localhost sshd[4745]: reverse mapping checking getaddrinfo for 213.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.213] failed - POSSIBLE BREAK-IN ATTEMPT!

Thanks for your time,

Tark

szboardstretcher · 08-12-2014, 10:53 AM

You need to ban that IP at the router immediately. If you don't need China to access your DC, then a quick read here will help:

http://www.wizcrafts.net/chinese-blocklist.html

No, you cannot view the password they are using.

tarken · 08-12-2014, 04:50 PM

I have the IP's blocked. Is it not even possible to see the hashes that they are trying to use?

unSpawn · 08-12-2014, 05:25 PM

Quote:

Originally Posted by szboardstretcher

You need to ban that IP at the router immediately. If you don't need China to access your DC, then a quick read here will help

I think it would be easier to point the OP to using fail2ban or equivalent as you wouldn't have to think twice about what to block and what not?..

Quote:

Originally Posted by szboardstretcher

No, you cannot view the password they are using.

Not by default no, but you can (as long as they're not using pubkey auth) using a Honeypot, a modified SSH daemon or a custom PAM module.
*Note care should be taken when attempting this, IMHO exposing an inert Honeypot in a DMZ would be the relatively best option isolation-wise.

szboardstretcher · 08-13-2014, 06:43 AM

Quote:

Originally Posted by unSpawn

I think it would be easier to point the OP to using fail2ban or equivalent as you wouldn't have to think twice about what to block and what not?..

Thats valid as well.

Fail2ban is great for many services, and denyhosts is great for SSH. But those are for dynamic attacks,.. attacks from many endpoints in many countries that aren't able to be 'grouped' together easily.

China, on the other hand, is easy to group together (ip-wise) and statically block at the router level if you have no reason to accept Chinese traffic (example: you run a muffin store in Ohio.)

I think it's better to stop malicious traffic at the edge, IF you can, than allow it into the network.

A mixture of both processes would be best.. if you are going to expose SSH to the world. Get rid of traffic at the router that you know 100% you don't need, and use fail2ban or denyhosts to further secure your world facing services.