I say honeypot but really it isn’t a honeypot… but it is something I am using to log/capture data from malicious individuals….so thus the reason I say honeypot.
I want to edit sshd to log all user/password attempts.
Cent7
yum install git make zlib-devel openssl-devel openssh-devel pam-devel screen autoconf gcc vim-enhanced lsof
git clone https://github.com/openssh/openssh-portable.git
cd openssh-portable/
autoreconf
./configure
vim auth-passwd.c (add in my little log code in the auth_password function)
//for Lanix
logit(“sshd credentials:%s:%s”,authctxt->user,password);
make
we are going to use the built-in sshd_config and the current ssh_host_keys to prevent anyone remote being able to easily identify the trap.
cp /etc/ssh/sshd_config /root/ (modify this as there are multiple parts we didn’t complile into our ssh and errors will be thrown, also to test I run it first on a different port)
cp /etc/ssh/ssh_host_* /root/
chmod 0600 /root/ssh_host_*
/root/openssh-portable/sshd -f sshd_config -D (I test with the -D so that I can easily stop the program)
This will log things in /var/log/secure on a Cent7 box, just look for the “sshd credentials” LOL
Debian
apt-update
apt-get install zlib1g-dev screen vim make gcc autoconf git libssl1.0-dev
(libssl1.0-dev because regular libssl-dev throws errors on compile of ssh, well as of right now)
(not sure if these are needed yet) apt-get install libcrypto++-dev libgcrypt20 libcrypto++6 libcrypto++-utils r-cran-openssl
git clone https://github.com/openssh/openssh-portable.git
cd openssh-portables/
autoreconf
./configure
vim auth-passwd.c (add in my little log code in the auth_password function)
//for Lanix
logit(“sshd credentials:%s:%s”,authctxt->user,password);
make
we are going to use the built-in sshd_config and the current ssh_host_keys to prevent anyone remote being able to easily identify the trap.
cp /etc/ssh/sshd_config /root/ (modify this as there are multiple parts we didn’t complile into our ssh and errors will be thrown, also to test I run it first on a different port)
cp /etc/ssh/ssh_host_* /root/
chmod 0600 /root/ssh_host_*
/root/openssh-portable/sshd -f sshd_config -D (I test with the -D so that I can easily stop the program)
This will log things in /var/log/auth.log, just look for the “sshd credentials” LOL