Date: Sun, 19 Mar 2006 08:28:37 -0500 From: Garance A Drosehn <gad@FreeBSD.org> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: freebsd-current@FreeBSD.org Subject: Re: PROPOSAL for periodic/security/800.loginfail Message-ID: <p0623092ac0430191eb5b@[128.113.24.47]> In-Reply-To: <99353.1142604012@critter.freebsd.dk> References: <99353.1142604012@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote: > >Garance wrote: > >> > >> First, imagine a standard message with 382 login-failure >>> messages in it. Then imagine if you got the following >>> instead of that (and I could easily condense the list of >>> ftp failures some more). Which is easier to deal with? > >Yes, absolutely. > >But I would advice a bit of data-analysis here. > >For instance: >>> ++ Found 49 failed attempts for ftpd: >>> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster >>> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web >>> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin >>> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase > >> [...] The crowd asked for fewer lines... The crowd asked for more data-analysis... Now the script can deliver it! "AND THE CROWD GOES WILD!" [bullwinkle crowd] yea... [/bullwinkle crowd] So... five cans of Jolt Blue later, I have a new version of the script available at: http://people.freebsd.org/~gad/filters/loginfail-V2.nawk In this version, each of the recognized categories of messages, there is an option to set a summary level. The higher that summary_level value is set to, the less information will be printed for the matching category. The values defined so far are: 0 = no summary 1 = print a summary, while still printing all the lines 2 = do not print any of the lines matched in the category, and print the full summary. 5 = print the summary for the category, without any userid-specific information. 50 = print nothing but the summary-header for the category. Here is the output for the same list of records I used in my previous example. Note that the summary now also shows the range-of-time that the attacks were happening. This is what it shows when run with sum_ftpd_bad=2 sum_sshd_badpws=2 sum_sshd_baduserids=5 # - - - - start: sinbad.fake.rpi.edu login failures: Jan 2 17:03:29 sinbad shutdown: reboot by root: Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... matched 49 failures (not shown) of ftp connections 33 from xdsl-81-173.changed.de @ 20:16 -> 20:16 Dec 28 to users: admin*5 webmaster*4 user*4 test*4 + 9 others 16 from dslb-084-062.otherchg.net @ 21:51 -> 21:52 Dec 28 to users: admin*16 matched 134 failures (not shown) of ssh to existing userids 45 from 127.0.210.12 @ 04:22 -> 04:24 Dec 31 u: root*45 44 from 127.0.45.46 @ 13:52 -> 13:53 Dec 26 u: root*44 22 from 127.0.69.146 @ 15:32 -> 15:32 Dec 28 u: root*22 13 from 127.0.175.156 @ 14:26 -> 14:26 Dec 27 to users: root*12 + 1 others 5 from 127.0.225.154 @ 14:39 -> 14:40 Dec 28 to users: root*3 + 1 others 3 from 127.0.73.182 @ 21:57 -> 21:58 Dec 26 u: root*3 2 from 127.0.102.26 @ 15:30 -> 15:30 Dec 31 to users: root*1 + 1 others matched 199 failures (not shown) of ssh to non-existent userids 45 from 127.0.191.36 @ 14:29 -> 14:31 Dec 28 #users: 45 44 from 127.0.111.3 @ 03:10 -> 03:12 Dec 31 #users: 36 29 from 127.0.175.156 @ 14:26 -> 14:26 Dec 27 #users: 16 21 from 127.0.69.146 @ 15:32 -> 15:32 Dec 28 #users: 21 14 from 127.0.225.154 @ 14:39 -> 14:40 Dec 28 #users: 7 10 from 127.0.87.251 @ 11:00 -> 11:00 Jan 1 #users: 8 10 from 127.0.185.180 @ 15:50 -> 15:50 Jan 3 #users: 10 8 from 127.0.102.26 @ 15:30 -> 15:31 Dec 31 #users: 8 6 from 127.0.73.182 @ 21:57 -> 21:58 Dec 26 #users: 4 5 from 127.0.30.97 @ 08:14 -> 08:16 Dec 31 #users: 1 4 from 127.0.192.3 @ 13:44 -> 13:45 Dec 31 #users: 1 2 from 127.0.28.31 @ 23:28 -> 23:28 Dec 28 #users: 2 1 from 127.0.102.141 @ 21:05 -> 21:05 Dec 29 #users: 1 # - - - - end The month-and-day are showing up in this example because the the input included lines from more than one day. In standard use it would only see records from a single day, so the date would not be displayed (it would still have the time-range). When printing the user-specific information, it only prints the second line of "to users: " when there was more than one userid found. If only one userid was found, then it just tacks something like "u: root*3" on the first line. If that is still too much, then this is what the script shows when run with sum_ftpd_bad=50 sum_sshd_badpws=50 sum_sshd_baduserids=50 # - - - - start: sinbad.fake.rpi.edu login failures: Jan 2 17:03:29 sinbad shutdown: reboot by root: Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... matched 49 failures (not shown) of ftp connections matched 134 failures (not shown) of ssh to existing userids matched 199 failures (not shown) of ssh to non-existent userids # - - - - end -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0623092ac0430191eb5b>