Good way to log failed password attempts with Bitvise SSH Server?

Tawnos

Tawnos

2[H]4U
Joined
Sep 9, 2001
Messages
3,808
So, I've had a ton of login attempts tonight:
1A8fOxF.png


IP resolves to Moscow. Probably a botnet, but I've had very few attempts since changing the port from standard.

I'd like to log the attempts used by such bots or skiddies. My system is set up to only accept certificates, generated and transported by sneakernet. So there's no chance of mistakenly typing my own password (also randomly generated) and logging it.

Any ideas? I could docker or Hyper-V any linux image needed (I have my Kali instance on hyper-v at the moment, using iSCSI to my Synology NAS), but I hope there's someone out there who's tried to do something similar. Sure, I can mirror a port to capture the traffic, but I'm also looking to keep the plaintext username: password attempts, especially if there are nonstandard bytes in there. May be useful for spotting new exploit attempts too, perhaps.
 
What do you qualify as a log? This looks like a log to me...?

Like, what additional details are you trying to view? This is just internet noise, and doing what you did by changing from standard ports can cutdown the noise a bit, but won't eliminate it.
 
Cmustang87 said:
What do you qualify as a log? This looks like a log to me...?

Like, what additional details are you trying to view? This is just internet noise, and doing what you did by changing from standard ports can cutdown the noise a bit, but won't eliminate it.
Click to expand...
I want to log the actual username/password attempts that are currently being logged as lockout, per this: "I'm also looking to keep the plaintext username: password attempts".
 
My mistake, must have missed that.

It looks like the attempt was actually blocked due to GeoIP, but it logs it as a failed login attempt. I don't think the other end is getting an auth prompt to be honest.

Other than that, I don't have much to add here.
 
Cmustang87 said:
My mistake, must have missed that.

It looks like the attempt was actually blocked due to GeoIP, but it logs it as a failed login attempt. I don't think the other end is getting an auth prompt to be honest.

Other than that, I don't have much to add here.
Click to expand...

It's blocked because I IP ban anyone who tries to authenticate with username and password. Though I may have changed the setting to not even allow auth attempts when IP banned, I think for a while I had it still allow them to try authenticating (even though it would do them no good since username/password isn't accepted).
 
Well it looks like you have blacklisted username perimeters set up according to the log. Which usernames do you have blacklisted to meet this criteria?
 
Cmustang87 said:
Well it looks like you have blacklisted username perimeters set up according to the log. Which usernames do you have blacklisted to meet this criteria?
Click to expand...
All of them. I only allow certificate based auth.
 
You must log in or register to reply here.
Back
Top