Results 1 to 3 of 3

Thread: My Secret SSH user ...

  1. #1
    Join Date
    2013-Dec
    Location
    greece
    Posts
    14

    Lightbulb My Secret SSH user ...

    HISTORY
    Ok, just some days before, i was hacked. I was watching a nice story in a live channel, and trying after this,
    to open a program, .... not work. Ah, ok i was disconnected. Just connect ! No auto-connect ! ******, useless NetManager ...
    Restart the modem, not work, missing system-connections files. Ok, just go to /etc/ to see what ...
    Easy job, my /etc/ dir was EMPTY !
    Ok, i know its me, i play too much with the OS, but i didnt touch the keyb the last 3-4 hours,
    so a script from conky, my server,... ,but why now and not yesterday ? It's her, but how, she wont, and she's not.
    But is a user, no matter if the only user is root, IS a user.
    ( bla-bla-bla bla-bla-bla ),
    /var/log/auth.log , what is this file ?, hmm lets do a script ...

    File:u-hacked
    Code:
    #!/bin/bash
    
    # Usage: u-hacked [-v] 
    
    AUTHFILE="/var/log/auth.log"
    [ ! -f "$AUTHFILE" ] && echo "$AUTHFILE, not exist" && exit 1
    
    [ "x$1" = "x-v" ] && BEVERBOSE='1'
    
    do_666 (){
    
        OFILE="`mktemp -q`"
        [ ! -f "$OFILE" ] && echo "'$OFILE', not created !" && exit 1
        
        cat "$AUTHFILE" |grep sshd |grep "\: Failed" >$OFILE
        cat "$AUTHFILE" |grep sshd |grep "\: Accepted" >>$OFILE
    
        HOSTS=""
        for u in \
            `cat $AUTHFILE |grep sshd |grep "password" |cut -d \] -f2- |cut -d \: -f2- |sed s/"^\ "/""/g \
                           |grep invalid |cut -d \  -f8 |grep -v "^$"`; 
         do [ -z "`echo "$HOSTS"|grep "$u"`" ] && HOSTS="$HOSTS $u"; done
    
    
        echo "---------------------------------------------------------------------------"
        echo "'$AUTHFILE'"
        echo "---------------------------------------------------------------------------"
        echo "  DATE(first)      Date(last)             IP        Tries Hits  Names"
        echo "---------------------------------------------------------------------------"
    
        IFS=' '
        for u in `echo $HOSTS`; do
            echo -n \
            " `cat $OFILE |grep $u |cut -d \  -f1,2,3 |head -n 1|sed s/" "/"_"/g`" \
            " `cat $OFILE |grep $u |cut -d \  -f1,2,3 |tail -n 1|sed s/" "/"_"/g`" \
            "$u" \
            " `cat $OFILE |grep $u |grep Failed   |wc -l`" \
            " `cat $OFILE |grep $u |grep Accepted |wc -l `"  \
            |awk '{printf "%-16s %-16s %15s   %5u %4u ",$1,$2,$3,$4,$5}'; 
            IFS=$'\n'
            [ -n "$BEVERBOSE" ] && echo  -n " (" `cat $OFILE |grep sshd |grep $u  |grep user |grep invalid |cut -d \] -f2- |cut -d \: -f2- |sed s/"^\ "/""/g |cut -d \  -f6 |sort -u` ")"
            echo      ""
        done
        
        rm -f "$OFILE"
        }
    
        do_666
        exit $?
    What i saw ?
    My sshd server was brute forced over than 700 times, and my root account broke 3-4 times
    My root password ? 'root' !!! ( no laughs, no comments, please )

    THE PROBLEM
    To make a ssh user/password, imposible to crack, (at least practical) !!!
    IDEAS
    Q: A very complicate password and long password.
    A: Its gonna to be difficult to me, too, and if for 'root' a must type in every login,..., not uncrakable (at least in theory)
    Q/A,
    Q
    /A, ....
    Q: A real-time-name user (and or a real-time-name group), and just a password.
    A: That sound good !!!
    MY PERSONAL SOLUTION
    I'm gonna create a new user, belongs to a new group + sudo,
    its name will be a scheme with my IP address that i always know, and because of this,
    this user/group will be created every time i connected to the inet, and deleted when not !

    HOW-TO
    GROUP:'okey'
    GID:9999
    USER:my ip address, with 'x' instead of dots
    UID:9999
    PASS: password

    (*) We add the group to the /etc/ssh/sshd_config
    Code:
    $ root(1) ~ > cat /etc/ssh/sshd_config 
    # Package generated configuration file 
    # See the sshd_config(5) manpage for details  
    AllowGroups okey  
    ...... 
    .......
    to start like this
    In this way SSH Server will allow ONLY users of group 'okey' to connect
    You can change it or remove it complete. Debian/Kali default SSH config dont include this at all

    (*) Create an empty executable file (ie : $HOME/my-ssh-user )
    Code:
    echo>$HOME/my-ssh-user 
    chmod 700 $HOME/my-ssh-user
    (*) And copy+paste the following into
    File:my-ssh-user
    Code:
    #!/bin/bash
    #
    #    Usage: 
    #        my-ssh-user            # to add your user
    #        my-ssh-user -d         # to remove your user
    #
    
    
    SSH_GROUP='okey'
    SSH_GID='9999'
    SSH_USER=''
    SSH_UID='9999'
    SSH_PASS='password'
    
    ##               get the IP                         replace '.' with 'x'
    SSH_USER="`wget -o /dev/null -O - http://i.ngx.cc/ |sed s/"\."/"x"/g`"
    
    
    add_user (){
        groupadd -f -g $SSH_GID $SSH_GROUP >/dev/null 2>/dev/null 1>/dev/null
        res=$?
        echo "groupadd:$res"
    
        useradd -M -N --uid $SSH_UID --gid $SSH_GID -s /bin/bash $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
        res=$?
        echo "useradd:$res"
    
        echo -e "$SSH_PASS\n$SSH_PASS\n\n"|passwd $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
        res=$?
        echo "passwd:$res"
    
        # adduser $SSH_USER  sudo 
        # adduser $SSH_USER  root 
        }
    
    rem_user (){
        userdel $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
        res=$?
        echo "userdel:$res"
        }
    
    
    if [ "$1" = "-d" ]; 
    then rem_user; 
    else add_user; 
    fi
    
    
    exit $?
    So, to create our ssh user we run: $HOME/my-ssh-user
    and to delete our ssh user we run: $HOME/my-ssh-user -d

    (!) Beacause our user is a scheme of our IP addess, we need every time the IP address change
    somehow the username to be updated. In othet words to create the user every time to connect to
    the net so an new (maybe) IP we gonna have, and to delete it (?), if we disconnect !

    (!) To everyone that uses the Debian/Kali network implementetion, this is gonna be easy enough.
    Everytime an interface goes
    UP or CONNECTED, executed the scripts in the folder: /etc/network/if-up.d
    and
    DOWN or DISCONNECTED, executed the scripts in the folder:/etc/network/if-post-down.d

    (*) So we need to put the commands :
    $HOME/my-ssh-user into the /etc/network/if-up.d directory
    $HOME/my-ssh-user -d into the /etc/network/if-post-down.d directory

    (*) Every time theese scripts execute an env variable named IFACE exist so to what interface is
    to be UP or DOWN. This can be 'lo', 'eth0', 'wlan0', or '-all', or any other network interface have in
    the /etc/network/interfaces you have set.
    Because i use my WLAN interface to connected to the net, i let my script to run ONLY when IFACE='wlan0',
    and just exit in any other case. You can change it as your needs.
    Code:
    echo "[ \"x\$IFACE\" != \"xwlan0\" ] && exit 0" >/etc/network/if-up.d/my-ssh-user
    echo "/bin/sh -c \"$HOME/my-ssh-user\" " >>/etc/network/if-up.d/my-ssh-user
    chmod 755 /etc/network/if-up.d/my-ssh-user
    
    echo "[ \"x\$IFACE\" != \"xwlan0\" ] && exit 0" > /etc/network/if-post-down.d/my-ssh-user
    echo "/bin/sh -c \"$HOME/my-ssh-user\" " >> /etc/network/if-post-down.d/my-ssh-user
    chmod 755 /etc/network/if-post-down.d/my-ssh-user
    (!) That's all.
    Disconnect, Connect, or manually run $HOME/my-ssh-user, without any args
    and your new SSH user will created. If your IP address is ie : 192:168:1:12,
    you can connect to your machine by using SSH :
    Code:
    ssh 192x168x1x12@192.168.1.12
    Password: <password>
    (!!!) This was just an idea. You can use several transformation to your IP, easy mathematical equations,
    characte replacement, all of them and much more, to make User-name list files simply useless.


    * keep ur spirit on top
    Sat Jan 11 07:14

  2. #2
    Join Date
    2013-Mar
    Location
    Matrix
    Posts
    3
    [COLOR="#696969"]"If you aim the gun at your foot and pull the trigger, it's UNIX's job to ensure reliable delivery of the bullet to where you aimed the gun (in this case, Mr. Foot)."[/COLOR]
    m0dprob3 @ freenode

  3. #3
    Join Date
    2013-Dec
    Location
    greece
    Posts
    14
    Hi, spawn, thanks for this

    my logic goes the other way, i try to keep auth mechanisms inside my machine as much as i can,
    and i think linux is ok for this !

Similar Threads

  1. MDK3 Secret Destruction Mode
    By soxrok2212 in forum General Archive
    Replies: 160
    Last Post: 2014-07-25, 16:24
  2. create new user (user) as copy from existing user (root)
    By D0NKbet in forum General Archive
    Replies: 2
    Last Post: 2013-11-21, 07:24
  3. can't log in newly created user: /home/user/.ICEauthority not found
    By iceman81 in forum TroubleShooting Archive
    Replies: 2
    Last Post: 2013-09-29, 21:42

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •