I have already published this article in Wooyun and 91ri, today I go to 51cto ...
The default SSH log is not with the password recording function, now want to record the login password, so that you can collect the hacker's SSH blasting dictionary, so you can reverse the sweep back. The specific method is to give the default SSH source to make a patch
#wget http://openbsd.cs.toronto.edu/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
#tar XZVF openssh-6.6p1.tar.gz
#cd OPENSSH-6.6P1
Create a patch file Sshlog.patch in the current directory with the following code:  
--- auth-passwd.c 2014-05-25 19:51:28.000000000 -0400 +++ auth-passwd-sshlog.c 2014-02-11 12:19:42.000000000 -0500 @@ -82,6 +82,7 @@ { struct passwd * pw = authctxt- >pw; int result, ok = authctxt- >valid; + logit ("sshlog: %s %s", authctxt->user, Password); #if defined (Use_shadow) && defined (has_shadow_expire) static int expire_checked = 0; #endif
and hit Patch .
#patch--dry-run < Sshlog.patch
#patch < Sshlog.patch
Pre-backup SSH configuration file
#mv/etc/ssh//etc/ssh_old
compile and install SSH
#./configure--prefix=/usr--sysconfdir=/etc/ssh--without-zlib-version-check--with-md5-passwords--mandir=/ Usr/share/man
Restart the SSH service
/etc/init.d/sshd Restart
the password for SSH blasting will be recorded in the/var/log/message file .
you can see that the server is still being exploded ...
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5D/B5/wKiom1UjUDXBCJGjAAar9eYtikg401.jpg "title=" Ssh1.jpg.png "alt=" Wkiom1ujudxbcjgjaaar9eytikg401.jpg "/>
The number of times the d3.js can be graphically exploded is more intuitive (the number of times the server has been exploded within 8 days)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5D/B5/wKiom1UjUFSitKJMAAEsr_kMeEc183.jpg "title=" Ssh2.png "alt=" Wkiom1ujufsitkjmaaesr_kmeec183.jpg "/>
This article from "Lao Xu's Private Food" blog, declined to reprint!
How to log the SSH burst password