SSH Credentials
Description
General
- Documentation: https://tools.ietf.org/html/rfc4251
- Summary: The Secure Shell (SSH) Protocol is a protocol for secure remote login, command-line and other secure network services over an insecure network. This detector aims at catching ssh authentication, typically in a command line, using a username separated by a
@from a host, and a password or in the form of variable assignments. - IPs allowlist: IP addresses granted with access to the remote host can be restricted by setting iptables rules on the server side.
- Scopes: Users management can be set on the server side to restrict user rights on the machine.
Revoke the secret
A revocation list can be set on the server side to specify some rsa public key that should not be granted access.
Check for suspicious activity
All activities and connection attempts can be logged on the server.
Details for SSH password
-
Family: identifiers
-
Category: remote_access
-
High recall: False
-
Validity check available: True
-
Analyzer available: False
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 3
-
Occurrences found for one million commits: 6.8
-
Prefixed: False
-
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: true
- type: ContentWhitelistPreValidator
patterns:
- sshpass
Examples
- text: |
+cp ../data/aviso.json /home/triagoz/webapp/kbalem/data
+#cp to screen app
+sshpass -p 'ghjdmoo5giedaiwahC' scp /home4/homedir4/perso/kbalem/DIVAA/data/*.js sftp-vaa@lpo-www.univ-leak.fr:data/
password: ghjdmoo5giedaiwahC
username: sftp-vaa
host: lpo-www.univ-leak.fr
- text: |
+cp ../data/aviso.json /home/triagoz/webapp/kbalem/data
+#cp to screen app
+sshpass -p 'ghjdmo.5giedaiwahC' scp /home4/homedir4/perso/kbalem/DIVAA/data/*.js sftp-vaa@lpo-www.univ-leak.fr:data/
password: ghjdmo.5giedaiwahC
username: sftp-vaa
host: lpo-www.univ-leak.fr
Details for SSH password with port
-
Family: identifiers
-
Category: remote_access
-
High recall: False
-
Validity check available: True
-
Analyzer available: False
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 4
-
Occurrences found for one million commits: 30.0
-
Prefixed: False
-
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: true
- type: ContentWhitelistPreValidator
patterns:
- sshpass
Examples
- text: |
sshpass -p grezglkh ssh -p 2299 -o StrictHostKeyChecking=no sftp-vaa@lpo-www.univ-leak.fr
password: grezglkh
port: '2299'
username: sftp-vaa
host: lpo-www.univ-leak.fr
- text: |
sshpass -p grezglkh ssh -o Port=2022 -o StrictHostKeyChecking=no sftp-vaa@lpo-www.univ-leak.fr
password: grezglkh
port: '2022'
username: sftp-vaa
host: lpo-www.univ-leak.fr
Details for SSH Credentials
-
Family: identifiers
-
Category: remote_access
-
High recall: False
-
Validity check available: True
-
Analyzer available: False
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 3
-
Occurrences found for one million commits: 0.2
-
Prefixed: False
-
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: true
- type: ContentWhitelistPreValidator
patterns:
- ssh
Examples
- text: |
+ String strSshUser = "cits3003-administrator"; // SSH login username
+ String strSshPassword = "cits3003@@"; // SSH login password
+ String strSshHost = "130.95.123.321"; // hostname or ip or SSH server
username: cits3003-administrator
password: cits3003@@
host: 130.95.123.321
- text: |
- <connection name="ffcstat11" sshUser="nixslo" auth="foobared" port="6379" sshHost="stat.fastfreeleaker.com" sshPassword="Thoo4Ibael4ie" sshPort="221" host="redis_srv"/>
username: nixslo
password: Thoo4Ibael4ie
host: stat.fastfreeleaker.com
