A Simple Intrusion Detection Trick
On all house network systems there is a way to provide notifications with potential SSH intrusions. This works well enough. The only change since added is:
FAILED_PUBLICKEY="$(grep 'Failed publickey' $SSH_LOG)"
This notification method does not distinguish restricted SSH access. The SSH log does not contain related errors or warning messages unless access is explicitly denied.
Restricted SSH access can be used for intrusion detection. Using the
command= option in an SSH
authorized_keys file limits an SSH client to that explicit command when that key pair is used. If a malicious user compromises a system and presumes the key pair is valid, trying to SSH into a network system with any intended command fails. Instead the command in the
authorized_keys file is executed.
A command from the
authorized_keys file could
touch a file. The file date stamp would change. File monitoring and auditing would detect the date stamp change and provide an alert.
A honey trap.
A malicious actor would not know about the alert and would only know the intended SSH command had failed.