Skip to main content

SSH Credentials

Description#

General#

  • Documentation: https://tools.ietf.org/html/rfc4251
  • Summary: The Secure Shell (SSH) Protocol is a protocol for secure remote login, command-line and other secure network services over an insecure network. This detector aims at catching ssh authentication, typically in a command line, using a username separated by a @ from a host, and a password or in the form of variable assignments.
  • IPs allowlist: IP addresses granted with access to the remote host can be restricted by setting iptables rules on the server side.
  • Scopes: Users management can be set on the server side to restrict user rights on the machine.

Revoke the secret#

A revocation list can be set on the server side to specify some rsa public key that should not be granted access.

Check for suspicious activity#

All activities and connection attempts can be logged on the server.

Details for Ssh password#

  • Category: Development tool

  • High recall: False

  • Validity check available: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 3

  • Occurrences found for one million commits: 3.17

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - sshpass

Examples#

- text: >    +cp ../data/aviso.json /home/triagoz/webapp/kbalem/data    +#cp to screen app    +sshpass -p 'ghjdmoo5giedaiwahC' scp /home4/homedir4/perso/kbalem/DIVAA/data/*.js sftp-vaa@lpo-www.univ-leak.fr:data/
  password: ghjdmoo5giedaiwahC  username: sftp-vaa  host: lpo-www.univ-leak.fr

Details for Ssh password assignment#

  • Category: Development tool

  • High recall: False

  • Validity check available: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 3

  • Occurrences found for one million commits: 0.2

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - ssh

Examples#

- text: >    +            String strSshUser = "cits3003-administrator";                  // SSH loging username    +            String strSshPassword = "cits3003@@";                   // SSH login password    +            String strSshHost = "130.95.123.321";          // hostname or ip or SSH server
  username: cits3003-administrator  password: cits3003@@  host: 130.95.123.321
- text: >    - <connection name="ffcstat11" sshUser="nixslo" auth="foobared" port="6379" sshHost="stat.fastfreeleaker.com" sshPassword="Thoo4Ibael4ie" sshPort="221" host="redis_srv"/>
  username: nixslo  password: Thoo4Ibael4ie  host: stat.fastfreeleaker.com