Packets Consulting

Ssh-faker


Ssh-faker 1.1

There's a worm out there that tries to log in through ssh using a long
list of popular usernames and passwords.  If you don't want it to succeed,
it's a good idea to not let it connect to your actual sshd program.

Ssh-faker was initially written to deal with buffer overflow attacks
back when sshd was vulnerable (it may still be), but it works well for
this too.

This program is called by /etc/hosts.deny whenever someone connects to
port 22.  Unless they type in a plaintext password or type the wrong
password, they get an ssh-compatible error message, and a syslog message
is generated.  If they type in the right password, they are added to
/etc/hosts.allow, and their next connection will reach the real sshd.

In my opinion, this is better than denying ip addresses as soon as they
fail ssh logins three times because:

  - I don't want to be locked out of my own computer if I
    can't type my password right for some reason (broken key on
    keyboard/fingers on wrong keys/too much caffeine+sugar?)

  - This way, the /etc/hosts.deny file or iptables deny list
    doesn't grow all the time.

  - The bad guys can't get more chances just by changing their
    ip address.

To install it:

  # untar ssh-faker-1.1.tar.gz

  # cp ssh-faker-1.1/ssh-faker /usr/bin

  # vi /usr/bin/ssh-faker    (CHANGE THE DEFAULT PASSWORD!)

Preload at least one good ip address into /etc/hosts.allow, in case the
test doesn't work (bad pathname, typo, act of god, whatever), and you'd
like to be able to fix the problem without having to stand in front of your
server (a real pain when it's in a different country):

  # echo sshd : 11.22.33.44 : ALLOW >> /etc/hosts.allow

  # echo sshd : ALL : twist /usr/bin/ssh-faker %a >> /etc/hosts.deny

To test it:

  # ssh localhost
  Received disconnect from 127.0.0.1: Your ssh version is too
  old and is no longer supported.  Please install a newer version.

  # telnet localhost 22
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  SSH-1.99-OpenSSH_3.7.1p1
  >> password
  Success!  You can now ssh to this computer.
  Connection closed by foreign host.

  # ssh localhost
  Last login: Sat Jul 16 11:37:38 2005 from localhost.localdomain

  #

If the test fails, IMMEDIATELY comment out the 'sshd' line from
/etc/hosts.deny, fix the problem, then uncomment before testing again.
This could REALLY save your posterior!

License: GPL
Author: Charles Howes <ssh-faker2*ch.pkts.ca>

	Changelog: ssh-faker-changelog

        Download: ssh-faker-1.1.tar.gz
                  ssh-faker-1.1-1.i386.rpm
                  ssh-faker-1.1-1.src.rpm

        Older download: ssh-faker-1.0.tar.gz
                  ssh-faker-1.0-1.i386.rpm
                  ssh-faker-1.0-1.src.rpm

	License: GPL

	Author: Charles Howes