Date: Fri, 17 Mar 2006 15:44:50 +0200 From: Panagiotis Astithas <past@ebs.gr> To: Garance A Drosehn <gad@freebsd.org> Cc: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>, Matteo Riondato <matteo@freebsd.org>, freebsd-current@freebsd.org Subject: Re: PROPOSAL for periodic/security/800.loginfail Message-ID: <441ABD52.9040509@ebs.gr> In-Reply-To: <p0623091dc0405dd1885b@[128.113.24.47]> References: <20060316145826.M96629@atlantis.atlantis.dp.ua> <p06230912c03f933e0d8e@[128.113.24.47]> <20060317030230.G64324@atlantis.atlantis.dp.ua> <p0623091bc0404dc8c646@[128.113.24.47]> <p0623091dc0405dd1885b@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
Garance A Drosehn wrote: > At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote: >> >> But the goal that I'm really driving for here is to provide >> a script which can summarize some types of login-failure >> records, particularly the ones caused by brute-force >> password-guessing attacks. This script implements three >> options which implement such summaries. >> >> sum_ftpd_bad >> sum_sshd_badpws >> sum_sshd_baduserids > > Here is an example of running the script with all three > of those options turned on (with some names changed to > protect both the innocent and the guilty, which is why > there seem to be a bizzare collection of hosts coming > from the 127.0.* block...). This is from an auth.log > containing activity for December 24th to January 3rd. > > First, imagine a standard message with 382 login-failure > messages in it. Then imagine if you got the following > instead of that (and I could easily condense the list of > ftp failures some more). Which is easier to deal with? > > > Jan 2 17:03:29 sinbad shutdown: reboot by root: > Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... > + > ++ Found 49 failed attempts for ftpd: > + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster > + 3 failed ftp attempts were from xdsl-81-173.changed.de, web > + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin > + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase > + 1 failed ftp attempts were from xdsl-81-173.changed.de, backup > + 5 failed ftp attempts were from xdsl-81-173.changed.de, admin > + 1 failed ftp attempts were from xdsl-81-173.changed.de, oracle8 > + 2 failed ftp attempts were from xdsl-81-173.changed.de, oracle > + 4 failed ftp attempts were from xdsl-81-173.changed.de, test > + 2 failed ftp attempts were from xdsl-81-173.changed.de, informix > + 3 failed ftp attempts were from xdsl-81-173.changed.de, > administrator > + 4 failed ftp attempts were from xdsl-81-173.changed.de, user > + 1 failed ftp attempts were from xdsl-81-173.changed.de, lizdy > + 1 failed ftp attempts were from xdsl-81-173.changed.de, anyone > + > ++ Found 134 failed attempts to login to valid userids: > + 3 were ssh attempts for root from 127.0.225.154 > + 1 were ssh attempts for root from 127.0.102.26 > + 44 were ssh attempts for root from 127.0.45.46 > + 12 were ssh attempts for root from 127.0.175.156 > + 22 were ssh attempts for root from 127.0.69.146 > + 2 were ssh attempts for www from 127.0.225.154 > + 1 were ssh attempts for ftp from 127.0.175.156 > + 1 were ssh attempts for ftp from 127.0.102.26 > + 3 were ssh attempts for root from 127.0.73.182 > + 45 were ssh attempts for root from 127.0.210.12 > + > ++ Found 199 attempts to login to invalid (non-existing) userids: > + 45 were ssh attempts from 127.0.191.36 > + 10 were ssh attempts from 127.0.87.251 > + 14 were ssh attempts from 127.0.225.154 > + 8 were ssh attempts from 127.0.102.26 > + 1 were ssh attempts from 127.0.102.141 > + 2 were ssh attempts from 127.0.28.31 > + 29 were ssh attempts from 127.0.175.156 > + 4 were ssh attempts from 127.0.192.3 > + 21 were ssh attempts from 127.0.69.146 > + 44 were ssh attempts from 127.0.111.3 > + 10 were ssh attempts from 127.0.185.180 > + 5 were ssh attempts from 127.0.30.97 > + 6 were ssh attempts from 127.0.73.182 Much better! Thanks, Panagiotis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?441ABD52.9040509>