There's a worm out there that tries to log in through ssh using a long
list of popular usernames and passwords. If you don't want it to succeed,
it's a good idea to not let it connect to your actual sshd program.
Ssh-faker was initially written to deal with buffer overflow attacks
back when sshd was vulnerable (it may still be), but it works well for
This program is called by /etc/hosts.deny whenever someone connects to
port 22. Unless they type in a plaintext password or type the wrong
password, they get an ssh-compatible error message, and a syslog message
is generated. If they type in the right password, they are added to
/etc/hosts.allow, and their next connection will reach the real sshd.
In my opinion, this is better than denying ip addresses as soon as they
fail ssh logins three times because:
- I don't want to be locked out of my own computer if I
can't type my password right for some reason (broken key on
keyboard/fingers on wrong keys/too much caffeine+sugar?)
- This way, the /etc/hosts.deny file or iptables deny list
doesn't grow all the time.
- The bad guys can't get more chances just by changing their
To install it:
# untar ssh-faker-1.1.tar.gz
# cp ssh-faker-1.1/ssh-faker /usr/bin
# vi /usr/bin/ssh-faker (CHANGE THE DEFAULT PASSWORD!)
Preload at least one good ip address into /etc/hosts.allow, in case the
test doesn't work (bad pathname, typo, act of god, whatever), and you'd
like to be able to fix the problem without having to stand in front of your
server (a real pain when it's in a different country):
# echo sshd : 126.96.36.199 : ALLOW >> /etc/hosts.allow
# echo sshd : ALL : twist /usr/bin/ssh-faker %a >> /etc/hosts.deny
To test it:
# ssh localhost
Received disconnect from 127.0.0.1: Your ssh version is too
old and is no longer supported. Please install a newer version.
# telnet localhost 22
Connected to localhost.
Escape character is '^]'.
Success! You can now ssh to this computer.
Connection closed by foreign host.
# ssh localhost
Last login: Sat Jul 16 11:37:38 2005 from localhost.localdomain
If the test fails, IMMEDIATELY comment out the 'sshd' line from
/etc/hosts.deny, fix the problem, then uncomment before testing again.
This could REALLY save your posterior!
Author: Charles Howes <ssh-faker.ch.pkts.ca>
Older download: ssh-faker-1.0.tar.gz
Author: Charles Howes