From owner-freebsd-current@FreeBSD.ORG  Fri Mar 17 13:01:42 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@FreeBSD.org
Delivered-To: freebsd-current@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 07B9816A401;
	Fri, 17 Mar 2006 13:01:42 +0000 (UTC) (envelope-from gad@FreeBSD.org)
Received: from smtp3.server.rpi.edu (smtp3.server.rpi.edu [128.113.2.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9067D43D45;
	Fri, 17 Mar 2006 13:01:41 +0000 (GMT) (envelope-from gad@FreeBSD.org)
Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47])
	by smtp3.server.rpi.edu (8.13.0/8.13.0) with ESMTP id k2HCpEE0015859;
	Fri, 17 Mar 2006 07:51:14 -0500
Mime-Version: 1.0
Message-Id: <p0623091dc0405dd1885b@[128.113.24.47]>
In-Reply-To: <p0623091bc0404dc8c646@[128.113.24.47]>
References: <20060316145826.M96629@atlantis.atlantis.dp.ua>
	<p06230912c03f933e0d8e@[128.113.24.47]>
	<20060317030230.G64324@atlantis.atlantis.dp.ua>
	<p0623091bc0404dc8c646@[128.113.24.47]>
Date: Fri, 17 Mar 2006 07:51:13 -0500
To: freebsd-current@FreeBSD.org
From: Garance A Drosehn <gad@FreeBSD.org>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-CanItPRO-Stream: default
X-RPI-SA-Score: undef - spam-scanning disabled
X-Scanned-By: CanIt (www . canit . ca) on 128.113.2.3
Cc: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>,
	Matteo Riondato <matteo@FreeBSD.org>
Subject: Re: PROPOSAL for periodic/security/800.loginfail
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2006 13:01:42 -0000

At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote:
>
>But the goal that I'm really driving for here is to provide
>a script which can summarize some types of login-failure
>records, particularly the ones caused by brute-force
>password-guessing attacks.  This script implements three
>options which implement such summaries.
>
>     sum_ftpd_bad
>     sum_sshd_badpws
>     sum_sshd_baduserids

Here is an example of running the script with all three
of those options turned on (with some names changed to
protect both the innocent and the guilty, which is why
there seem to be a bizzare collection of hosts coming
from the 127.0.* block...).  This is from an auth.log
containing activity for December 24th to January 3rd.

First, imagine a standard message with 382 login-failure
messages in it.  Then imagine if you got the following
instead of that (and I could easily condense the list of
ftp failures some more).  Which is easier to deal with?


Jan  2 17:03:29 sinbad shutdown: reboot by root:
Jan  2 17:28:26 sinbad shutdown: power-down by root: remove drive...
+
++ Found 49 failed attempts for ftpd:
+      4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
+      3 failed ftp attempts were from xdsl-81-173.changed.de, web
+     16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
+      2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
+      1 failed ftp attempts were from xdsl-81-173.changed.de, backup
+      5 failed ftp attempts were from xdsl-81-173.changed.de, admin
+      1 failed ftp attempts were from xdsl-81-173.changed.de, oracle8
+      2 failed ftp attempts were from xdsl-81-173.changed.de, oracle
+      4 failed ftp attempts were from xdsl-81-173.changed.de, test
+      2 failed ftp attempts were from xdsl-81-173.changed.de, informix
+      3 failed ftp attempts were from xdsl-81-173.changed.de, administrator
+      4 failed ftp attempts were from xdsl-81-173.changed.de, user
+      1 failed ftp attempts were from xdsl-81-173.changed.de, lizdy
+      1 failed ftp attempts were from xdsl-81-173.changed.de, anyone
+
++ Found 134 failed attempts to login to valid userids:
+      3 were ssh attempts for root from 127.0.225.154
+      1 were ssh attempts for root from 127.0.102.26
+     44 were ssh attempts for root from 127.0.45.46
+     12 were ssh attempts for root from 127.0.175.156
+     22 were ssh attempts for root from 127.0.69.146
+      2 were ssh attempts for www from 127.0.225.154
+      1 were ssh attempts for ftp from 127.0.175.156
+      1 were ssh attempts for ftp from 127.0.102.26
+      3 were ssh attempts for root from 127.0.73.182
+     45 were ssh attempts for root from 127.0.210.12
+
++ Found 199 attempts to login to invalid (non-existing) userids:
+     45 were ssh attempts from 127.0.191.36
+     10 were ssh attempts from 127.0.87.251
+     14 were ssh attempts from 127.0.225.154
+      8 were ssh attempts from 127.0.102.26
+      1 were ssh attempts from 127.0.102.141
+      2 were ssh attempts from 127.0.28.31
+     29 were ssh attempts from 127.0.175.156
+      4 were ssh attempts from 127.0.192.3
+     21 were ssh attempts from 127.0.69.146
+     44 were ssh attempts from 127.0.111.3
+     10 were ssh attempts from 127.0.185.180
+      5 were ssh attempts from 127.0.30.97
+      6 were ssh attempts from 127.0.73.182

-- 
Garance Alistair Drosehn     =      gad@gilead.netel.rpi.edu
Senior Systems Programmer               or   gad@FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA