From owner-freebsd-current@FreeBSD.ORG Fri Mar 17 19:30:26 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89E3316A401; Fri, 17 Mar 2006 19:30:26 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3DCE43D45; Fri, 17 Mar 2006 19:30:25 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (igloo.linux.gr [62.1.205.36]) by igloo.linux.gr (8.13.5/8.13.5/Debian-3) with ESMTP id k2HJTrBZ031068; Fri, 17 Mar 2006 21:29:54 +0200 Received: by flame.pc (Postfix, from userid 1001) id 3432047; Fri, 17 Mar 2006 11:29:39 -0800 (PST) Date: Fri, 17 Mar 2006 11:29:39 -0800 From: Giorgos Keramidas To: Panagiotis Astithas Message-ID: <20060317192939.GB1441@flame.pc> References: <20060316145826.M96629@atlantis.atlantis.dp.ua> <20060317030230.G64324@atlantis.atlantis.dp.ua> <441ABD52.9040509@ebs.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <441ABD52.9040509@ebs.gr> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-1.913, required 5, autolearn=not spam, ALL_TRUSTED -1.44, AWL -0.47) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr Cc: Dmitry Pryanishnikov , Matteo Riondato , freebsd-current@freebsd.org, Garance A Drosehn Subject: Re: PROPOSAL for periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 19:30:26 -0000 On 2006-03-17 15:44, Panagiotis Astithas wrote: >Garance A Drosehn wrote: >>Jan 2 17:03:29 sinbad shutdown: reboot by root: >>Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... >>+ >>++ Found 49 failed attempts for ftpd: >>+ 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster >>+ 3 failed ftp attempts were from xdsl-81-173.changed.de, web >>[...] >>+ >>++ Found 134 failed attempts to login to valid userids: >>+ 3 were ssh attempts for root from 127.0.225.154 >>+ 1 were ssh attempts for root from 127.0.102.26 [...] >>+ >>++ Found 199 attempts to login to invalid (non-existing) userids: >>+ 45 were ssh attempts from 127.0.191.36 >>+ 10 were ssh attempts from 127.0.87.251 [...] > > Much better! > Thanks, True. Another good idea is probably to log _successful_ logins. On some Linux systems I work with I have installed something like this: % LOG=/var/log % YESTERDAY=`date -v-1d "+%b %e "` % % catmsgs() { % find ${LOG} -name 'auth.log.*' -mtime -2 | % sort -t. -r -n -k 2,2 | % while read f % do % case $f in % *.gz) zcat -f $f;; % *.bz2) bzcat -f $f;; % esac % done % [ -f ${LOG}/auth.log ] && cat $LOG/auth.log % } % % echo % catmsgs | perl -ne 'if (m/sshd.* Accepted/) { s/.* Accepted (\S+) for (\S+) from (\S+).*/$2 $1 $3/; print $_;}' | % sort | uniq -c | sort -nr | \ % while read count username auth addr _junk ; do % name=`host "${addr}" 2>&1 | sed -e 's/.* //' -e 's/\.$//'` % case ${name} in % *NXDOMAIN*) % name="" % ;; % esac % echo $count $username $auth $addr $name % done | \ % awk 'BEGIN {printf "Users logging in through sshd:\n";} % { % c=$1; # count % u=$2; # username % m=$3; # method of authentication % a=$4; # from-host address % h=$5; # from-host name (may be empty) % if (h == "") { % printf " %s logged in from (%s) using %s: %d times\n",u,a,m,c; % } else { % printf " %s logged in from %s (%s) using %s: %d times\n",u,h,a,m,c; % } % }' % echo The output looks similarly short with Garance's script: % [root@flame /root]# sh sshd.sh % % Users logging in through sshd: % keramida logged in from (10.0.0.1) using keyboard-interactive/pam: 14 times % keramida logged in from (10.6.0.170) using keyboard-interactive/pam: 8 times % keramida logged in from (10.6.0.130) using publickey: 6 times % keramida logged in from (10.6.0.130) using keyboard-interactive/pam: 3 times % keramida logged in from (10.6.0.82) using keyboard-interactive/pam: 1 times % keramida logged in from (10.6.0.80) using keyboard-interactive/pam: 1 times % If this looks interesting for our periodic security checks, I can definitely convert it to use awk instead of Perl and integrate it with the existing scripts.