My Secret SSH user ...

**prompt_32** · 2014-01-11

HISTORY

Ok, just some days before, i was hacked. I was watching a nice story in a live channel, and trying after this,
to open a program, .... not work. Ah, ok i was disconnected. Just connect ! No auto-connect ! ******, useless NetManager ...
Restart the modem, not work, missing system-connections files. Ok, just go to /etc/ to see what ...
Easy job, my /etc/ dir was EMPTY !
Ok, i know its me, i play too much with the OS, but i didnt touch the keyb the last 3-4 hours,
so a script from conky, my server,... ,but why now and not yesterday ? It's her, but how, she wont, and she's not.
But is a user, no matter if the only user is root, IS a user.
( bla-bla-bla bla-bla-bla ),
/var/log/auth.log , what is this file ?, hmm lets do a script ...

File:u-hacked

Code:

#!/bin/bash

# Usage: u-hacked [-v] 

AUTHFILE="/var/log/auth.log"
[ ! -f "$AUTHFILE" ] && echo "$AUTHFILE, not exist" && exit 1

[ "x$1" = "x-v" ] && BEVERBOSE='1'

do_666 (){

    OFILE="`mktemp -q`"
    [ ! -f "$OFILE" ] && echo "'$OFILE', not created !" && exit 1
    
    cat "$AUTHFILE" |grep sshd |grep "\: Failed" >$OFILE
    cat "$AUTHFILE" |grep sshd |grep "\: Accepted" >>$OFILE

    HOSTS=""
    for u in \
        `cat $AUTHFILE |grep sshd |grep "password" |cut -d \] -f2- |cut -d \: -f2- |sed s/"^\ "/""/g \
                       |grep invalid |cut -d \  -f8 |grep -v "^$"`; 
     do [ -z "`echo "$HOSTS"|grep "$u"`" ] && HOSTS="$HOSTS $u"; done


    echo "---------------------------------------------------------------------------"
    echo "'$AUTHFILE'"
    echo "---------------------------------------------------------------------------"
    echo "  DATE(first)      Date(last)             IP        Tries Hits  Names"
    echo "---------------------------------------------------------------------------"

    IFS=' '
    for u in `echo $HOSTS`; do
        echo -n \
        " `cat $OFILE |grep $u |cut -d \  -f1,2,3 |head -n 1|sed s/" "/"_"/g`" \
        " `cat $OFILE |grep $u |cut -d \  -f1,2,3 |tail -n 1|sed s/" "/"_"/g`" \
        "$u" \
        " `cat $OFILE |grep $u |grep Failed   |wc -l`" \
        " `cat $OFILE |grep $u |grep Accepted |wc -l `"  \
        |awk '{printf "%-16s %-16s %15s   %5u %4u ",$1,$2,$3,$4,$5}'; 
        IFS=$'\n'
        [ -n "$BEVERBOSE" ] && echo  -n " (" `cat $OFILE |grep sshd |grep $u  |grep user |grep invalid |cut -d \] -f2- |cut -d \: -f2- |sed s/"^\ "/""/g |cut -d \  -f6 |sort -u` ")"
        echo      ""
    done
    
    rm -f "$OFILE"
    }

    do_666
    exit $?

What i saw ?
My sshd server was brute forced over than 700 times, and my root account broke 3-4 times
My root password ? 'root' !!! ( no laughs, no comments, please )

THE PROBLEM

To make a ssh user/password, imposible to crack, (at least practical) !!!

IDEAS

Q: A very complicate password and long password.
A: Its gonna to be difficult to me, too, and if for 'root' a must type in every login,..., not uncrakable (at least in theory)
Q/A,
Q/A, ....
Q: A real-time-name user (and or a real-time-name group), and just a password.
A: That sound good !!!

MY PERSONAL SOLUTION
I'm gonna create a new user, belongs to a new group + sudo,
its name will be a scheme with my IP address that i always know, and because of this,
this user/group will be created every time i connected to the inet, and deleted when not !

HOW-TO

GROUP:'okey'
GID:9999
USER:my ip address, with 'x' instead of dots
UID:9999
PASS: password

(*) We add the group to the /etc/ssh/sshd_config

Code:

$ root(1) ~ > cat /etc/ssh/sshd_config 
# Package generated configuration file 
# See the sshd_config(5) manpage for details  
AllowGroups okey  
...... 
.......

to start like this
In this way SSH Server will allow ONLY users of group 'okey' to connect
You can change it or remove it complete. Debian/Kali default SSH config dont include this at all

(*) Create an empty executable file (ie : $HOME/my-ssh-user )

Code:

echo>$HOME/my-ssh-user 
chmod 700 $HOME/my-ssh-user

(*) And copy+paste the following into
File:my-ssh-user

Code:

#!/bin/bash
#
#    Usage: 
#        my-ssh-user            # to add your user
#        my-ssh-user -d         # to remove your user
#


SSH_GROUP='okey'
SSH_GID='9999'
SSH_USER=''
SSH_UID='9999'
SSH_PASS='password'

##               get the IP                         replace '.' with 'x'
SSH_USER="`wget -o /dev/null -O - http://i.ngx.cc/ |sed s/"\."/"x"/g`"


add_user (){
    groupadd -f -g $SSH_GID $SSH_GROUP >/dev/null 2>/dev/null 1>/dev/null
    res=$?
    echo "groupadd:$res"

    useradd -M -N --uid $SSH_UID --gid $SSH_GID -s /bin/bash $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
    res=$?
    echo "useradd:$res"

    echo -e "$SSH_PASS\n$SSH_PASS\n\n"|passwd $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
    res=$?
    echo "passwd:$res"

    # adduser $SSH_USER  sudo 
    # adduser $SSH_USER  root 
    }

rem_user (){
    userdel $SSH_USER >/dev/null 2>/dev/null 1>/dev/null
    res=$?
    echo "userdel:$res"
    }


if [ "$1" = "-d" ]; 
then rem_user; 
else add_user; 
fi


exit $?

So, to create our ssh user we run: $HOME/my-ssh-user
and to delete our ssh user we run: $HOME/my-ssh-user -d

(!) Beacause our user is a scheme of our IP addess, we need every time the IP address change
somehow the username to be updated. In othet words to create the user every time to connect to
the net so an new (maybe) IP we gonna have, and to delete it (?), if we disconnect !

(!) To everyone that uses the Debian/Kali network implementetion, this is gonna be easy enough.
Everytime an interface goes
UP or CONNECTED, executed the scripts in the folder: /etc/network/if-up.d
and
DOWN or DISCONNECTED, executed the scripts in the folder:/etc/network/if-post-down.d

(*) So we need to put the commands :
$HOME/my-ssh-user into the /etc/network/if-up.d directory
$HOME/my-ssh-user -d into the /etc/network/if-post-down.d directory

(*) Every time theese scripts execute an env variable named IFACE exist so to what interface is
to be UP or DOWN. This can be 'lo', 'eth0', 'wlan0', or '-all', or any other network interface have in
the /etc/network/interfaces you have set.
Because i use my WLAN interface to connected to the net, i let my script to run ONLY when IFACE='wlan0',
and just exit in any other case. You can change it as your needs.

Code:

echo "[ \"x\$IFACE\" != \"xwlan0\" ] && exit 0" >/etc/network/if-up.d/my-ssh-user
echo "/bin/sh -c \"$HOME/my-ssh-user\" " >>/etc/network/if-up.d/my-ssh-user
chmod 755 /etc/network/if-up.d/my-ssh-user

echo "[ \"x\$IFACE\" != \"xwlan0\" ] && exit 0" > /etc/network/if-post-down.d/my-ssh-user
echo "/bin/sh -c \"$HOME/my-ssh-user\" " >> /etc/network/if-post-down.d/my-ssh-user
chmod 755 /etc/network/if-post-down.d/my-ssh-user

(!) That's all.
Disconnect, Connect, or manually run $HOME/my-ssh-user, without any args
and your new SSH user will created. If your IP address is ie : 192:168:1:12,
you can connect to your machine by using SSH :

Code:

ssh [email protected]
Password: <password>

(!!!) This was just an idea. You can use several transformation to your IP, easy mathematical equations,
characte replacement, all of them and much more, to make User-name list files simply useless.

* keep ur spirit on top

Sat Jan 11 07:14

Thread: My Secret SSH user ...

Thread Tools

Search Thread

Display

Threaded View

My Secret SSH user ...

Similar Threads

No kali user. Fresh install. root user not toor

MDK3 Secret Destruction Mode

create new user (user) as copy from existing user (root)

Posting Permissions