Skip to content

Major update #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JustinAzoff merged 10 commits into from
Jan 4, 2026
Merged

Major update #4

JustinAzoff merged 10 commits into from
Jan 4, 2026

Conversation

@GAS85
Copy link
Contributor

@GAS85 GAS85 commented Dec 23, 2025

Hey, I prepared major update for you. As I push it first to my private repo it looks here is it was pushed within short time now. Anyway, few changes:

  • Add ed25519 and RSA key refresh
  • Add banner consistent to the SSHd Server version
  • Add option to set profiles, default as it was per host, new per IP.
  • Increased and configurable minimum amount of retries
  • Documentation refresh and update

GAS85 added 8 commits December 23, 2025 13:30
@GAS85
- Deterministic per host
1698080 
- Realistic versions
- Avoids bot fingerprinting
@GAS85
- Allow multiple auth failures. 3 is too low, real systems allow more.
9a952bc 
- Add Variable delay between failures
- Increase key to `3072` bits, `1024` was way too outdated
- Readme update with a new variables and add some comments to them
@GAS85
- Add ed25519 and rsa support
5c6ca07 
- Config update with `SSHD_HOSTKEY_TYPE` and `SSHD_RSA_BITS`
- Faking Session channel
- Readme example update:
  - Add isolated network example
  - Update health check with log file test to aviod empty log after system log rotation
  - Add new variables with comments
- Unused code cleanup
@GAS85
Do not cache ssh.ServerConfig to aviod Auth delays increase across …
0814ab8 
…different IPs

Add random seed based on start time
@GAS85
Add simple login banner
f90bf84
@GAS85
- Major change add profiles to match banner to server version
445f61e 
- Add `SSHD_PROFILE_SCOPE` for per host, or per ip profiles
- Remove initial code to emulate succeed login - bad idea :(
@GAS85
- Readme refresh
ec7fb32
@GAS85
Add back initial code part
e676ec4
@JustinAzoff
Copy link
Owner

JustinAzoff commented Jan 2, 2026

Hi!

Cool stuff.. do you think the banners may cause some issues? I'd fear that it would make ssh-auth-logger a bit too easy to fingerprint.

@GAS85
Copy link
Contributor Author

GAS85 commented Jan 2, 2026

Those are standard banners from Ubuntu Debian and Centos. The aim is to mimic real system and avoid fingerprinting. We can disable them, or make it even configurable to send banner or not. Anyway SSHd version depends on a host machine OS. So I tried to match SSH version with standard Banners. I think at least different SSH versions needs to be presented.

@JustinAzoff
Copy link
Owner

JustinAzoff commented Jan 2, 2026

Are those banners or motd? The banner is sent before authentication and I don't think I've ever seen an ubuntu system send something like 'Ubuntu 20.04.6 LTS'.

@GAS85
Copy link
Contributor Author

GAS85 commented Jan 2, 2026

Yes, banners are send before auth and there is even one funny project about it: https://github.com/shizunge/endlessh-go

As I sad, may be a a good idea to make them configurable... Not sure here

@GAS85
Copy link
Contributor Author

GAS85 commented Jan 4, 2026

Just checked on fresh ubuntu install and there is default loggin banner:

cat /etc/issue
Ubuntu 24.04.3 LTS \n \l

But, per default it is usually disabled too:

grep Banner /etc/ssh/sshd_config
#Banner none

So I add config key to enable Banners. Per default will not send any.

And one additional thing that was changed, but I forget to set default to initial behavior. Now passwords can be logged as clear text (as it was) or base64.

@JustinAzoff JustinAzoff merged commit 0191460 into JustinAzoff:master Jan 4, 2026
@JustinAzoff
Copy link
Owner

JustinAzoff commented Jan 4, 2026

Have you noticed any increased CPU from removing the sshConfigMap ?

@GAS85
Copy link
Contributor Author

GAS85 commented Jan 4, 2026

To be honest I didn't really observed it well, but from overall picture didn't notice any change.
If sshConfigMap presented, as I understood it will share same authState across multiple connection and increase delays across different IPs, that potentially will be easy to detect.

Theoretically it will consume more CPU as we are not caching config now. But it also brings fresh authState to each TCP connection and attempts delays reset per attacker, also OpenSSH version should be matched exactly.

May be smarter move was initial code --> use it if exist. Not really sure here.

GAS85
GAS85 commented Jan 4, 2026
View reviewed changes
README.md
healthcheck:
test: wget -v localhost$SSHD_BIND --no-verbose --tries=1 --spider || exit 1
# Will test if port is still open AND log file was not vanished by host machine log rotate
test: wget -v localhost$SSHD_BIND --no-verbose --tries=1 --spider && test -s /var/log/ssh-auth-logger.log || exit 1
Copy link
Contributor Author

@GAS85 GAS85 Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checked and this is not working... Variable is not expanded here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GAS85 @JustinAzoff