From owner-freebsd-current@FreeBSD.ORG  Fri Mar 17 13:45:09 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5960B16A401;
	Fri, 17 Mar 2006 13:45:09 +0000 (UTC) (envelope-from past@ebs.gr)
Received: from fly.ebs.gr (fly.ebs.gr [83.171.239.113])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C29F43D48;
	Fri, 17 Mar 2006 13:45:07 +0000 (GMT) (envelope-from past@ebs.gr)
Received: from ebs.gr (root@hal.ebs.gr [10.1.1.2])
	by fly.ebs.gr (8.12.9p1/8.12.9) with ESMTP id k2HDiqUg024269;
	Fri, 17 Mar 2006 15:44:52 +0200 (EET) (envelope-from past@ebs.gr)
Received: from [10.1.1.157] (pc157.ebs.gr [10.1.1.157])
	by ebs.gr (8.13.3/8.13.3) with ESMTP id k2HDiui1021470;
	Fri, 17 Mar 2006 15:44:57 +0200 (EET) (envelope-from past@ebs.gr)
Message-ID: <441ABD52.9040509@ebs.gr>
Date: Fri, 17 Mar 2006 15:44:50 +0200
From: Panagiotis Astithas <past@ebs.gr>
Organization: EBS Ltd.
User-Agent: Thunderbird 1.5 (X11/20060203)
MIME-Version: 1.0
To: Garance A Drosehn <gad@freebsd.org>
References: <20060316145826.M96629@atlantis.atlantis.dp.ua>	<p06230912c03f933e0d8e@[128.113.24.47]>	<20060317030230.G64324@atlantis.atlantis.dp.ua>	<p0623091bc0404dc8c646@[128.113.24.47]>
	<p0623091dc0405dd1885b@[128.113.24.47]>
In-Reply-To: <p0623091dc0405dd1885b@[128.113.24.47]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>,
	Matteo Riondato <matteo@freebsd.org>, freebsd-current@freebsd.org
Subject: Re: PROPOSAL for periodic/security/800.loginfail
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2006 13:45:09 -0000

Garance A Drosehn wrote:
> At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote:
>>
>> But the goal that I'm really driving for here is to provide
>> a script which can summarize some types of login-failure
>> records, particularly the ones caused by brute-force
>> password-guessing attacks.  This script implements three
>> options which implement such summaries.
>>
>>     sum_ftpd_bad
>>     sum_sshd_badpws
>>     sum_sshd_baduserids
> 
> Here is an example of running the script with all three
> of those options turned on (with some names changed to
> protect both the innocent and the guilty, which is why
> there seem to be a bizzare collection of hosts coming
> from the 127.0.* block...).  This is from an auth.log
> containing activity for December 24th to January 3rd.
> 
> First, imagine a standard message with 382 login-failure
> messages in it.  Then imagine if you got the following
> instead of that (and I could easily condense the list of
> ftp failures some more).  Which is easier to deal with?
> 
> 
> Jan  2 17:03:29 sinbad shutdown: reboot by root:
> Jan  2 17:28:26 sinbad shutdown: power-down by root: remove drive...
> +
> ++ Found 49 failed attempts for ftpd:
> +      4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
> +      3 failed ftp attempts were from xdsl-81-173.changed.de, web
> +     16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
> +      2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
> +      1 failed ftp attempts were from xdsl-81-173.changed.de, backup
> +      5 failed ftp attempts were from xdsl-81-173.changed.de, admin
> +      1 failed ftp attempts were from xdsl-81-173.changed.de, oracle8
> +      2 failed ftp attempts were from xdsl-81-173.changed.de, oracle
> +      4 failed ftp attempts were from xdsl-81-173.changed.de, test
> +      2 failed ftp attempts were from xdsl-81-173.changed.de, informix
> +      3 failed ftp attempts were from xdsl-81-173.changed.de, 
> administrator
> +      4 failed ftp attempts were from xdsl-81-173.changed.de, user
> +      1 failed ftp attempts were from xdsl-81-173.changed.de, lizdy
> +      1 failed ftp attempts were from xdsl-81-173.changed.de, anyone
> +
> ++ Found 134 failed attempts to login to valid userids:
> +      3 were ssh attempts for root from 127.0.225.154
> +      1 were ssh attempts for root from 127.0.102.26
> +     44 were ssh attempts for root from 127.0.45.46
> +     12 were ssh attempts for root from 127.0.175.156
> +     22 were ssh attempts for root from 127.0.69.146
> +      2 were ssh attempts for www from 127.0.225.154
> +      1 were ssh attempts for ftp from 127.0.175.156
> +      1 were ssh attempts for ftp from 127.0.102.26
> +      3 were ssh attempts for root from 127.0.73.182
> +     45 were ssh attempts for root from 127.0.210.12
> +
> ++ Found 199 attempts to login to invalid (non-existing) userids:
> +     45 were ssh attempts from 127.0.191.36
> +     10 were ssh attempts from 127.0.87.251
> +     14 were ssh attempts from 127.0.225.154
> +      8 were ssh attempts from 127.0.102.26
> +      1 were ssh attempts from 127.0.102.141
> +      2 were ssh attempts from 127.0.28.31
> +     29 were ssh attempts from 127.0.175.156
> +      4 were ssh attempts from 127.0.192.3
> +     21 were ssh attempts from 127.0.69.146
> +     44 were ssh attempts from 127.0.111.3
> +     10 were ssh attempts from 127.0.185.180
> +      5 were ssh attempts from 127.0.30.97
> +      6 were ssh attempts from 127.0.73.182

Much better!

Thanks,

Panagiotis