
How to Set Up and Use SSH
Monitoring Attacks As They Happen
How to See the Password Guesses
Let's say that you see a long series of guesses for your
root
password.
The password guesses aren't logged, but you want to see
what guesses they are trying.
First, find the PID of the listening SSH daemon process:
$ ps axuww | egrep 'PID|sshd'
You will have to find the one that is listening for new connections, and not the server processes handling current connections.
Here is a better way to find the relevant PID:
$ su Password: # lsof -i tcp:ssh | egrep 'PID|LISTEN'
Now become root
and
attach to the running daemon with strace,
changing the PID as appropriate:
$ su - # strace -f -e 'read,write' -p 12345
There will be a lot of output, but you will see the password guesses.
When you press ^C,
the strace
process detaches and the SSH daemon keeps running.
Here is a detailed analysis of SSH attack patterns, including the login and password sequences observed in real attacks.