PROPOSAL for periodic/security/800.loginfail
Garance A Drosehn
gad at FreeBSD.org
Fri Mar 17 14:17:20 UTC 2006
At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote:
>
>But I would advice a bit of data-analysis here.
>
>For instance:
>>> ++ Found 49 failed attempts for ftpd:
>>> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
>>> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web
>>> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
>>> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
>>> [...]
>
>The crucial information to people here is not which
>logins have been attempted as much as where the
>attempts came from, so I would prefer instead
>something like:
>
>failed ftp attempts:
> 33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...)
> 16 from dslb-084-062.otherchg.net, (admin)
>
>Would be more compact and sufficient for most people.
>
>Notice the "..." in the second line, I actually mean
>that: show the top three login names and use "..." to
>indcate there are more.
Sounds very good. I will do that. (well, I may not
get to it until tomorrow, but I will do it...)
>
>>> ++ Found 199 attempts to login to invalid (non-existing) userids:
>>> + 45 were ssh attempts from 127.0.191.36
>>> + 10 were ssh attempts from 127.0.87.251
>>> + 14 were ssh attempts from 127.0.225.154
>>> + 8 were ssh attempts from 127.0.102.26
>>> + 1 were ssh attempts from 127.0.102.141
>>> + 2 were ssh attempts from 127.0.28.31
>>> + 29 were ssh attempts from 127.0.175.156
>>> + 4 were ssh attempts from 127.0.192.3
>
>Sort these after number of attempts.
I have to admit is the first awk script I've written in
more than a decade, so I am quite rusty with it. Last
night I made a quick attempt to figure out how to sort
values out of an associative array, but did not come
across any sort function provided by nawk itself. I like
the idea of sorting, I just haven't figured out how to get
nawk to do it yet...
If I can figure that out, I'll do that too. Sort by
number-of-attempts, or sort by IP-address of attacker?
--
Garance Alistair Drosehn = gad at gilead.netel.rpi.edu
Senior Systems Programmer or gad at FreeBSD.org
Rensselaer Polytechnic Institute; Troy, NY; USA
More information about the freebsd-current
mailing list