PDA

View Full Version : My Secret SSH user ...



prompt_32
2014-01-11, 05:11
HISTORY
Ok, just some days before, i was hacked. I was watching a nice story in a live channel, and trying after this,
to open a program, .... not work. Ah, ok i was disconnected. Just connect ! No auto-connect ! ******, useless NetManager ...
Restart the modem, not work, missing system-connections files. Ok, just go to /etc/ to see what ...
Easy job, my /etc/ dir was EMPTY !
Ok, i know its me, i play too much with the OS, but i didnt touch the keyb the last 3-4 hours,
so a script from conky, my server,... ,but why now and not yesterday ? It's her, but how, she wont, and she's not.
But is a user, no matter if the only user is root, IS a user.
( bla-bla-bla bla-bla-bla ),
/var/log/auth.log , what is this file ?, hmm lets do a script ...

File:u-hacked

#!/bin/bash

# Usage: u-hacked [-v]

AUTHFILE="/var/log/auth.log"
[ ! -f "$AUTHFILE" ] && echo "$AUTHFILE, not exist" && exit 1

[ "x$1" = "x-v" ] && BEVERBOSE='1'

do_666 (){

OFILE="`mktemp -q`"
[ ! -f "$OFILE" ] && echo "'$OFILE', not created !" && exit 1

cat "$AUTHFILE" |grep sshd |grep "\: Failed" >$OFILE
cat "$AUTHFILE" |grep sshd |grep "\: Accepted" >>$OFILE

HOSTS=""
for u in \
`cat $AUTHFILE |grep sshd |grep "password" |cut -d \] -f2- |cut -d \: -f2- |sed s/"^\ "/""/g \
|grep invalid |cut -d \ -f8 |grep -v "^$"`;
do [ -z "`echo "$HOSTS"|grep "$u"`" ] && HOSTS="$HOSTS $u"; done


echo "---------------------------------------------------------------------------"
echo "'$AUTHFILE'"
echo "---------------------------------------------------------------------------"
echo " DATE(first) Date(last) IP Tries Hits Names"
echo "---------------------------------------------------------------------------"

IFS=' '
for u in `echo $HOSTS`; do
echo -n \
" `cat $OFILE |grep $u |cut -d \ -f1,2,3 |head -n 1|sed s/" "/"_"/g`" \
" `cat $OFILE |grep $u |cut -d \ -f1,2,3 |tail -n 1|sed s/" "/"_"/g`" \
"$u" \
" `cat $OFILE |grep $u |grep Failed |wc -l`" \
" `cat $OFILE |grep $u |grep Accepted |wc -l `" \
|awk '{printf "%-16s %-16s %15s %5u %4u ",$1,$2,$3,$4,$5}';
IFS=$'\n'
[ -n "$BEVERBOSE" ] && echo -n " (" `cat $OFILE |grep sshd |grep $u |grep user |grep invalid |cut -d \] -f2- |cut -d \: -f2- |sed s/"^\ "/""/g |cut -d \ -f6 |sort -u` ")"
echo ""
done

rm -f "$OFILE"
}

do_666
exit $?
What i saw ?
My sshd server was brute forced over than 700 times, and my root account broke 3-4 times
My root password ? 'root' !!! ( no laughs, no comments, please )


THE PROBLEM
To make a ssh user/password, imposible to crack, (at least practical) !!!


IDEAS
Q: A very complicate password and long password.
A: Its gonna to be difficult to me, too, and if for 'root' a must type in every login,..., not uncrakable (at least in theory)
Q/A,
Q/A, ....
Q: A real-time-name user (and or a real-time-name group), and just a password.
A: That sound good !!!


MY PERSONAL SOLUTION
I'm gonna create a new user, belongs to a new group + sudo,
its name will be a scheme with my IP address that i always know, and because of this,
this user/group will be created every time i connected to the inet, and deleted when not !

HOW-TO

GROUP:'okey'
GID:9999
USER:my ip address, with 'x' instead of dots
UID:9999
PASS: password

(*) We add the group to the /etc/ssh/sshd_config


$ root(1) ~ > cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
AllowGroups okey
......
.......
to start like this
In this way SSH Server will allow ONLY users of group 'okey' to connect
You can change it or remove it complete. Debian/Kali default SSH config dont include this at all

(*) Create an empty executable file (ie : $HOME/my-ssh-user )

echo>$HOME/my-ssh-user
chmod 700 $HOME/my-ssh-user

(*) And copy+paste the following into
File:my-ssh-user

#!/bin/bash
#
# Usage:
# my-ssh-user # to add your user
# my-ssh-user -d # to remove your user
#


SSH_GROUP='okey'
SSH_GID='9999'
SSH_USER=''
SSH_UID='9999'
SSH_PASS='password'

## get the IP replace '.' with 'x'
SSH_USER="`wget -o /dev/null -O - http://i.ngx.cc/ |sed s/"\."/"x"/g`"


add_user (){
groupadd -f -g $SSH_GID $SSH_GROUP >/dev/null 2>/dev/null 1>/dev/null
res=$?
echo "groupadd:$res"

useradd -M -N --uid $SSH_UID --gid $SSH_GID -s /bin/bash $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
res=$?
echo "useradd:$res"

echo -e "$SSH_PASS\n$SSH_PASS\n\n"|passwd $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
res=$?
echo "passwd:$res"

# adduser $SSH_USER sudo
# adduser $SSH_USER root
}

rem_user (){
userdel $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
res=$?
echo "userdel:$res"
}


if [ "$1" = "-d" ];
then rem_user;
else add_user;
fi


exit $?
So, to create our ssh user we run: $HOME/my-ssh-user
and to delete our ssh user we run: $HOME/my-ssh-user -d

(!) Beacause our user is a scheme of our IP addess, we need every time the IP address change
somehow the username to be updated. In othet words to create the user every time to connect to
the net so an new (maybe) IP we gonna have, and to delete it (?), if we disconnect !

(!) To everyone that uses the Debian/Kali network implementetion, this is gonna be easy enough.
Everytime an interface goes
UP or CONNECTED, executed the scripts in the folder: /etc/network/if-up.d
and
DOWN or DISCONNECTED, executed the scripts in the folder:/etc/network/if-post-down.d

(*) So we need to put the commands :
$HOME/my-ssh-user into the /etc/network/if-up.d directory
$HOME/my-ssh-user -d into the /etc/network/if-post-down.d directory

(*) Every time theese scripts execute an env variable named IFACE exist so to what interface is
to be UP or DOWN. This can be 'lo', 'eth0', 'wlan0', or '-all', or any other network interface have in
the /etc/network/interfaces you have set.
Because i use my WLAN interface to connected to the net, i let my script to run ONLY when IFACE='wlan0',
and just exit in any other case. You can change it as your needs.


echo "[ \"x\$IFACE\" != \"xwlan0\" ] && exit 0" >/etc/network/if-up.d/my-ssh-user
echo "/bin/sh -c \"$HOME/my-ssh-user\" " >>/etc/network/if-up.d/my-ssh-user
chmod 755 /etc/network/if-up.d/my-ssh-user

echo "[ \"x\$IFACE\" != \"xwlan0\" ] && exit 0" > /etc/network/if-post-down.d/my-ssh-user
echo "/bin/sh -c \"$HOME/my-ssh-user\" " >> /etc/network/if-post-down.d/my-ssh-user
chmod 755 /etc/network/if-post-down.d/my-ssh-user


(!) That's all.
Disconnect, Connect, or manually run $HOME/my-ssh-user, without any args
and your new SSH user will created. If your IP address is ie : 192:168:1:12,
you can connect to your machine by using SSH :


ssh 192x168x1x12@192.168.1.12
Password: <password>


(!!!) This was just an idea. You can use several transformation to your IP, easy mathematical equations,
characte replacement, all of them and much more, to make User-name list files simply useless.


* keep ur spirit on top


Sat Jan 11 07:14

spawn
2014-01-13, 04:24
Hi,

Try this

https://calomel.org/openssh_gatekeeper.html

prompt_32
2014-01-14, 00:51
Hi, spawn, thanks for this

my logic goes the other way, i try to keep auth mechanisms inside my machine as much as i can,
and i think linux is ok for this !