Date: Fri, 17 Mar 2006 09:17:17 -0500 From: Garance A Drosehn <gad@FreeBSD.org> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: freebsd-current@FreeBSD.org Subject: Re: PROPOSAL for periodic/security/800.loginfail Message-ID: <p06230922c04072e5792b@[128.113.24.47]> In-Reply-To: <99353.1142604012@critter.freebsd.dk> References: <99353.1142604012@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote: > >But I would advice a bit of data-analysis here. > >For instance: >>> ++ Found 49 failed attempts for ftpd: >>> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster >>> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web >>> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin >>> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase >>> [...] > >The crucial information to people here is not which >logins have been attempted as much as where the >attempts came from, so I would prefer instead >something like: > >failed ftp attempts: > 33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...) > 16 from dslb-084-062.otherchg.net, (admin) > >Would be more compact and sufficient for most people. > >Notice the "..." in the second line, I actually mean >that: show the top three login names and use "..." to >indcate there are more. Sounds very good. I will do that. (well, I may not get to it until tomorrow, but I will do it...) > >>> ++ Found 199 attempts to login to invalid (non-existing) userids: >>> + 45 were ssh attempts from 127.0.191.36 >>> + 10 were ssh attempts from 127.0.87.251 >>> + 14 were ssh attempts from 127.0.225.154 >>> + 8 were ssh attempts from 127.0.102.26 >>> + 1 were ssh attempts from 127.0.102.141 >>> + 2 were ssh attempts from 127.0.28.31 >>> + 29 were ssh attempts from 127.0.175.156 >>> + 4 were ssh attempts from 127.0.192.3 > >Sort these after number of attempts. I have to admit is the first awk script I've written in more than a decade, so I am quite rusty with it. Last night I made a quick attempt to figure out how to sort values out of an associative array, but did not come across any sort function provided by nawk itself. I like the idea of sorting, I just haven't figured out how to get nawk to do it yet... If I can figure that out, I'll do that too. Sort by number-of-attempts, or sort by IP-address of attacker? -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p06230922c04072e5792b>