From owner-freebsd-current@FreeBSD.ORG Fri Mar 17 14:17:20 2006 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6E4D16A400 for ; Fri, 17 Mar 2006 14:17:20 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp5.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46AA143D46 for ; Fri, 17 Mar 2006 14:17:20 +0000 (GMT) (envelope-from gad@FreeBSD.org) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp5.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k2HEHIub024573; Fri, 17 Mar 2006 09:17:19 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <99353.1142604012@critter.freebsd.dk> References: <99353.1142604012@critter.freebsd.dk> Date: Fri, 17 Mar 2006 09:17:17 -0500 To: "Poul-Henning Kamp" From: Garance A Drosehn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: freebsd-current@FreeBSD.org Subject: Re: PROPOSAL for periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 14:17:20 -0000 At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote: > >But I would advice a bit of data-analysis here. > >For instance: >>> ++ Found 49 failed attempts for ftpd: >>> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster >>> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web >>> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin >>> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase >>> [...] > >The crucial information to people here is not which >logins have been attempted as much as where the >attempts came from, so I would prefer instead >something like: > >failed ftp attempts: > 33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...) > 16 from dslb-084-062.otherchg.net, (admin) > >Would be more compact and sufficient for most people. > >Notice the "..." in the second line, I actually mean >that: show the top three login names and use "..." to >indcate there are more. Sounds very good. I will do that. (well, I may not get to it until tomorrow, but I will do it...) > >>> ++ Found 199 attempts to login to invalid (non-existing) userids: >>> + 45 were ssh attempts from 127.0.191.36 >>> + 10 were ssh attempts from 127.0.87.251 >>> + 14 were ssh attempts from 127.0.225.154 >>> + 8 were ssh attempts from 127.0.102.26 >>> + 1 were ssh attempts from 127.0.102.141 >>> + 2 were ssh attempts from 127.0.28.31 >>> + 29 were ssh attempts from 127.0.175.156 >>> + 4 were ssh attempts from 127.0.192.3 > >Sort these after number of attempts. I have to admit is the first awk script I've written in more than a decade, so I am quite rusty with it. Last night I made a quick attempt to figure out how to sort values out of an associative array, but did not come across any sort function provided by nawk itself. I like the idea of sorting, I just haven't figured out how to get nawk to do it yet... If I can figure that out, I'll do that too. Sort by number-of-attempts, or sort by IP-address of attacker? -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA