/ OpenBSD

Build a fake SSH server under OpenBSD with PacketFilter and sshesame

Introduction :

If you host a public server with a SSH daemon, you should be familiar with bruteforce attacks...

$ cat /var/log/authlog

Aug  3 12:00:47 blog sshd[25418]: Failed password for root from 1.164.135.169 port 35320 ssh2
Aug  3 12:00:51 blog sshd[25418]: error: maximum authentication attempts exceeded for root from 1.164.135.169 port 35320 ssh2 [preauth]
Aug  3 12:00:51 blog sshd[25418]: Disconnecting authenticating user root 1.164.135.169 port 35320: Too many authentication failures [preauth]

I solved this problem years ago with PacketFilter, so only the people connecting from my localnet or my VPN may access to my SSH server :

$ doas vi /etc/pf.conf

table <allowsshd> { 192.168.1.0/24, 2a01:cb06:3e0:eb00::/56 } persist
block drop in quick on re0 proto tcp from !<allowsshd> to any port ssh

But .... I asked myself, what if I could make hackers lose their time like I'm doing with mail spammers and spamd. So I decided to set up an evil plan !

evil_face_stickers-r9a3347e3c07c43f5808ed01359d8c357_v9waf_8byvr_324-1-

What do we need ?

  1. ssheame : A fake SSH server that lets everyone in and logs their activity
  2. PacketFilter : Our powerfull OpenBSD firewall

To make it simple :

  • When someone tries to connect with SSH on the server port 22 :

    • If the host is in the allowsshd table, it can connect to the true ssh server
    • If the host is NOT in the allowsshd table, it will be redirected to the fake ssh server running unprivileged at localhost:2022

Practice !

Time to achieve our evil plan...

1. Install and run ssheame :

We need the go langage, git, and a valid ssh key

$ doas pkg_add go git
$ go get -u github.com/jaksi/sshesame
$ ssh-keygen -C "badhackersarebad@cagedmonster.net"
Enter file in which to save the key (/home/lina/.ssh/id_rsa): /home/lina/go/bin/fakessh
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/lina/go/bin/fakessh.

Let's run our service :

$ ./sshesame -host_key ./fakessh
INFO[0000] Listening listen_address="127.0.0.1:2022"

2. Configure PacketFilter

We create the table of trusted hosts
We allow our trusted hosts to access our real ssh server
We redirect the others hosts to our fake server

$ doas vi /etc/pf.conf

table <allowsshd> { 192.168.1.0/24, 2a01:cb06:3e0:eb00::/56 } persist   
pass in quick on re0 proto tcp from <allowsshd> to any port ssh
pass in log on egress inet proto tcp from !<allowsshd> to egress port ssh rdr-to lo0 port 2022
   
$ doas pfctl -f /etc/pf.conf

3. Let's see the result :

INFO[0575] Client connected                              client="98.142.108.75:37881"
INFO[0585] Password authentication accepted              client="98.142.108.75:37881" password=evilhacker user=root version=SSH-2.0-OpenSSH_7.0
INFO[0585] SSH connection established                    client="98.142.108.75:37881"
INFO[0585] Channel requested                             channel=session client="98.142.108.75:37881" payload="[]"
INFO[0585] Request received                              channel=session client="98.142.108.75:37881" payload="xterm, 80x24 (0x0 pixels)" request=pty-req
INFO[0585] Request received                              channel=session client="98.142.108.75:37881" payload="[]" request=shell
INFO[0595] Channel input received                        channel=session client="98.142.108.75:37881" line="ps aux"
INFO[0601] Terminal closed                               channel=session client="98.142.108.75:37881"
INFO[0601] Client disconnected                           client="98.142.108.75:37881"

I see what you did there !

CagedMonster

CagedMonster

« I know everyone I've been everywhere I know everything Because I'm everybody » Ether - Nothingface

Read More