How to find the fingerprints of public keys in authorized_keys

If you use keys for SSH authentication (and you should) then you have probably run into the situation that the auth.log shows that someone logged in, even which local user was used (e.g. root), but you have no idea which of the keys in ~/.ssh/autorized_keys was used. The first step you can do to see what is going on, is increasing the log level of the SSH daemon: /etc/ssh/sshd_config

That will spit out the fingerprint of the SSH key used to log in. Example log entry for a successful login:

Now that we have the fingerprint of the ssh key used to login, we will need ssh-keygen to […]

Continue reading

Hackit Server downtime

Sorry for the downtime, wasn’t planned. It was late last night when I set up the knock daemon, I somehow managed to accidently copy and past my terminal which resulted in about a quarter of my /etc/init.d/* scripts getting broken. Unfortunatly I didn’t notice it right away. I did notice it when I rebooted the server (kernel change) and lot’s of daemons didn’t come up (oh unimportant stuff like SSH ūüôĀ ) Well, that’s what backups are for.

Continue reading

knock daemon with INPUT chain set to default ACCEPT

I know there are plenty of pages floating around the Internet about knock daemons that open ports in a firewall after a predefined series of ports are “knocked”. For some reason ALL the pages I found assumed that a) you want the filter in your INPUT chain, and that the INPUT chain defaulted to DROP or REJECT. In my case, I’m defiantly not going to have a iptables firewall with a default that drops packets. Every few weeks I try out some new software and can’t be bothered with adjusting my firewall every time. All I need it to do is keep pesky people off my ssh, that’s all. So […]

Continue reading

Hartknäckige Scriptkiddies

Seit gestern Abend versucht irgendein Scriptkiddie mein SSH zu Bruteforce’n. Das an sich ist eigentlich nichts erw√§hnenswertes da es zum t√§glichen M√ľll geh√∂rt (wie die Spammer die offene Mail Relays suchen) und eigentlich zum allgemein “Rauschen” im Internet geh√∂rt. Nach ein paar Fehlversuche landet bei mir die IP automatisch f√ľr eine gewisse Zeit auf eine Blackliste und wird per iptables gesperrt. Was das ganze hier jedoch interssant macht ist die Hartkn√§ckigkeit derjenigen. Die meisten Kiddies merken “ach mist, meine IP wird geblockt” und versuchen es vielleicht noch von eine 2. IP bevor sie aufgeben. Der hier jedoch hat wohl eine ganze menge an Zombie Rechner zur Verf√ľgung weil er seit […]

Continue reading