https://systemoverlord.com/tags/ssh.htmlRecent content in SSH on System OverlordHugoen-usdavid@systemoverlord.com (David Tomaschik)david@systemoverlord.com (David Tomaschik)Fri, 04 Sep 2020 00:00:00 +0000https://systemoverlord.com/2020/09/04/lessons-learned-from-ssh-credential-honeypots.htmlFri, 04 Sep 2020 00:00:00 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2020/09/04/lessons-learned-from-ssh-credential-honeypots.html<p>For the past few months, I&rsquo;ve been running a handful of SSH Honeypots on some cloud providers, including <a href="https://cloud.google.com">Google Cloud</a>, <a href="https://m.do.co/c/b2cffefc9c81">DigitalOcean</a>, and <a href="https://shareasale.com/r.cfm?b=1380239&amp;u=2497236&amp;m=46483&amp;urllink=&amp;afftrack=">NameCheap</a>. As opposed to more complicated honeypots looking at attacker behavior, I decided to do something simple and was only interested in where they were coming from, what tools might be in use, and what credentials they are attempting to use to authenticate. My dataset includes 929,554 attempted logins over a period of a little more than 3 months.</p> <p>If you&rsquo;re looking for a big surprise, I&rsquo;ll go ahead and let you down easy: my analysis hasn&rsquo;t located any new botnets or clusters of attackers. But it&rsquo;s been a fascinating project nonetheless.</p>https://systemoverlord.com/2017/01/04/new-tool-sshdog.htmlWed, 04 Jan 2017 00:00:00 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2017/01/04/new-tool-sshdog.html<p>I recently needed an <em>encrypted</em>, <em>authenticated</em> remote <em>bind</em> shell due to a situation where, believe it or not, the egress policies were stricter than ingress! Ideally I could forward traffic and copy files over the link.<br> I was looking for a good tool and casually asked my coworkers if they had any ideas when one said &ldquo;sounds like SSH.&rdquo;</p> <p><em>Well, shit.</em> That does sound like SSH and I didn&rsquo;t even realize it. (Tunnel vision, and the value of bouncing ideas off of others.) But I had a few more requirements in total:</p>https://systemoverlord.com/2011/09/20/using-an-ssh-connection-to-provide-remote-support-part-i/Tue, 20 Sep 2011 15:37:46 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2011/09/20/using-an-ssh-connection-to-provide-remote-support-part-i/<p> Last week, at the ALE meeting, a question came up about using SSH to provide remote support for someone who is not especially Linux-literate.  I suggested using an SSH reverse tunnel so the end-user wouldn't need to worry about firewalls, NAT, etc.</p> <p> Thinking about the problem, I realize that it's a little more complicated than that.  So in part 1, I'm going to discuss the general solution and the approach to the problem.  In Part II, I'll present a more comprehensive solution that will (I think) scale better.</p>https://systemoverlord.com/2011/02/19/ssh-across-a-layer-7-filter/Sat, 19 Feb 2011 03:14:50 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2011/02/19/ssh-across-a-layer-7-filter/<p>Every once in a while, I find myself in a situation behind some sort of device that filters a lot of traffic.  Most often, it's on my laptop at some facility (e.g., coffee shop) that only allows HTTP/HTTPS out.  For a while, I just listened for SSH traffic on port 443 (HTTPS) to connect through port-based firewalls.  However, a few times now I've seen a connection reset immediately after the SSH handshake started (during the protocol&amp;cipher negotation).  Looking at them through WireShark made it obvious it wasn't a server or client problem, but some intermediate device sending a RST.</p>