A Simple Intrusion Detection Trick

On all house network systems there is a way to provide notifications with potential SSH intrusions. This works well enough. The only change since added is:

FAILED_PUBLICKEY="$(grep 'Failed publickey' $SSH_LOG)"

This notification method does not distinguish restricted SSH access. The SSH log does not contain related errors or warning messages unless access is explicitly denied.

Restricted SSH access can be used for intrusion detection. Using the command= option in an SSH authorized_keys file limits an SSH client to that explicit command when that key pair is used. If a malicious user compromises a system and presumes the key pair is valid, trying to SSH into a network system with any intended command fails. Instead the command in the authorized_keys file is executed.

A command from the authorized_keys file could touch a file. The file date stamp would change. File monitoring and auditing would detect the date stamp change and provide an alert.

A honey trap.

A malicious actor would not know about the alert and would only know the intended SSH command had failed.

Posted: Category: Tutorial Tagged: General

Next: Old CMOS Batteries

Previous: Bandwidth Hogging