PROPOSAL for periodic/security/800.loginfail
Panagiotis Astithas
past at ebs.gr
Fri Mar 17 13:45:09 UTC 2006
Garance A Drosehn wrote:
> At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote:
>>
>> But the goal that I'm really driving for here is to provide
>> a script which can summarize some types of login-failure
>> records, particularly the ones caused by brute-force
>> password-guessing attacks. This script implements three
>> options which implement such summaries.
>>
>> sum_ftpd_bad
>> sum_sshd_badpws
>> sum_sshd_baduserids
>
> Here is an example of running the script with all three
> of those options turned on (with some names changed to
> protect both the innocent and the guilty, which is why
> there seem to be a bizzare collection of hosts coming
> from the 127.0.* block...). This is from an auth.log
> containing activity for December 24th to January 3rd.
>
> First, imagine a standard message with 382 login-failure
> messages in it. Then imagine if you got the following
> instead of that (and I could easily condense the list of
> ftp failures some more). Which is easier to deal with?
>
>
> Jan 2 17:03:29 sinbad shutdown: reboot by root:
> Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive...
> +
> ++ Found 49 failed attempts for ftpd:
> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web
> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
> + 1 failed ftp attempts were from xdsl-81-173.changed.de, backup
> + 5 failed ftp attempts were from xdsl-81-173.changed.de, admin
> + 1 failed ftp attempts were from xdsl-81-173.changed.de, oracle8
> + 2 failed ftp attempts were from xdsl-81-173.changed.de, oracle
> + 4 failed ftp attempts were from xdsl-81-173.changed.de, test
> + 2 failed ftp attempts were from xdsl-81-173.changed.de, informix
> + 3 failed ftp attempts were from xdsl-81-173.changed.de,
> administrator
> + 4 failed ftp attempts were from xdsl-81-173.changed.de, user
> + 1 failed ftp attempts were from xdsl-81-173.changed.de, lizdy
> + 1 failed ftp attempts were from xdsl-81-173.changed.de, anyone
> +
> ++ Found 134 failed attempts to login to valid userids:
> + 3 were ssh attempts for root from 127.0.225.154
> + 1 were ssh attempts for root from 127.0.102.26
> + 44 were ssh attempts for root from 127.0.45.46
> + 12 were ssh attempts for root from 127.0.175.156
> + 22 were ssh attempts for root from 127.0.69.146
> + 2 were ssh attempts for www from 127.0.225.154
> + 1 were ssh attempts for ftp from 127.0.175.156
> + 1 were ssh attempts for ftp from 127.0.102.26
> + 3 were ssh attempts for root from 127.0.73.182
> + 45 were ssh attempts for root from 127.0.210.12
> +
> ++ Found 199 attempts to login to invalid (non-existing) userids:
> + 45 were ssh attempts from 127.0.191.36
> + 10 were ssh attempts from 127.0.87.251
> + 14 were ssh attempts from 127.0.225.154
> + 8 were ssh attempts from 127.0.102.26
> + 1 were ssh attempts from 127.0.102.141
> + 2 were ssh attempts from 127.0.28.31
> + 29 were ssh attempts from 127.0.175.156
> + 4 were ssh attempts from 127.0.192.3
> + 21 were ssh attempts from 127.0.69.146
> + 44 were ssh attempts from 127.0.111.3
> + 10 were ssh attempts from 127.0.185.180
> + 5 were ssh attempts from 127.0.30.97
> + 6 were ssh attempts from 127.0.73.182
Much better!
Thanks,
Panagiotis
More information about the freebsd-current
mailing list