From owner-freebsd-current@FreeBSD.ORG Fri Mar 17 14:00:55 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 961D216A400; Fri, 17 Mar 2006 14:00:55 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from pasmtp.tele.dk (pasmtp.tele.dk [193.162.159.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58A9543D72; Fri, 17 Mar 2006 14:00:44 +0000 (GMT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (0x535c0e2a.sgnxx1.adsl-dhcp.tele.dk [83.92.14.42]) by pasmtp.tele.dk (Postfix) with ESMTP id 8E0A41EC37D; Fri, 17 Mar 2006 15:00:26 +0100 (CET) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.13.4/8.13.4) with ESMTP id k2HE0C3X099354; Fri, 17 Mar 2006 15:00:15 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Panagiotis Astithas From: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 17 Mar 2006 15:44:50 +0200." <441ABD52.9040509@ebs.gr> Date: Fri, 17 Mar 2006 15:00:12 +0100 Message-ID: <99353.1142604012@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: Dmitry Pryanishnikov , Matteo Riondato , freebsd-current@freebsd.org, Garance A Drosehn Subject: Re: PROPOSAL for periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 14:00:55 -0000 In message <441ABD52.9040509@ebs.gr>, Panagiotis Astithas writes: >> First, imagine a standard message with 382 login-failure >> messages in it. Then imagine if you got the following >> instead of that (and I could easily condense the list of >> ftp failures some more). Which is easier to deal with? Yes, absolutely. But I would advice a bit of data-analysis here. For instance: >> ++ Found 49 failed attempts for ftpd: >> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster >> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web >> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin >> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase >> [...] The crucial information to people here is not which logins have been attempted as much as where the attempts came from, so I would prefer instead something like: failed ftp attempts: 33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...) 16 from dslb-084-062.otherchg.net, (admin) Would be more compact and sufficient for most people. Notice the "..." in the second line, I actually mean that: show the top three login names and use "..." to indcate there are more. Some attempts I see use a dictionary of usernames, and they would generate thousands of lines in your scenario and only one in the above format. >> ++ Found 199 attempts to login to invalid (non-existing) userids: >> + 45 were ssh attempts from 127.0.191.36 >> + 10 were ssh attempts from 127.0.87.251 >> + 14 were ssh attempts from 127.0.225.154 >> + 8 were ssh attempts from 127.0.102.26 >> + 1 were ssh attempts from 127.0.102.141 >> + 2 were ssh attempts from 127.0.28.31 >> + 29 were ssh attempts from 127.0.175.156 >> + 4 were ssh attempts from 127.0.192.3 Sort these after number of attempts. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.