PROPOSAL for periodic/security/800.loginfail
Garance A Drosehn
gad at FreeBSD.org
Sun Mar 19 13:28:45 UTC 2006
At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote:
>
>Garance wrote:
> >>
> >> First, imagine a standard message with 382 login-failure
>>> messages in it. Then imagine if you got the following
>>> instead of that (and I could easily condense the list of
>>> ftp failures some more). Which is easier to deal with?
>
>Yes, absolutely.
>
>But I would advice a bit of data-analysis here.
>
>For instance:
>>> ++ Found 49 failed attempts for ftpd:
>>> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
>>> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web
>>> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
>>> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
> >> [...]
The crowd asked for fewer lines...
The crowd asked for more data-analysis...
Now the script can deliver it!
"AND THE CROWD GOES WILD!"
[bullwinkle crowd] yea... [/bullwinkle crowd]
So... five cans of Jolt Blue later, I have a new version
of the script available at:
http://people.freebsd.org/~gad/filters/loginfail-V2.nawk
In this version, each of the recognized categories of messages,
there is an option to set a summary level.
The higher that summary_level value is set to, the less
information will be printed for the matching category.
The values defined so far are:
0 = no summary
1 = print a summary, while still printing all the lines
2 = do not print any of the lines matched in the category,
and print the full summary.
5 = print the summary for the category, without any
userid-specific information.
50 = print nothing but the summary-header for the category.
Here is the output for the same list of records I used in
my previous example. Note that the summary now also shows
the range-of-time that the attacks were happening.
This is what it shows when run with
sum_ftpd_bad=2 sum_sshd_badpws=2 sum_sshd_baduserids=5
# - - - - start:
sinbad.fake.rpi.edu login failures:
Jan 2 17:03:29 sinbad shutdown: reboot by root:
Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive...
matched 49 failures (not shown) of ftp connections
33 from xdsl-81-173.changed.de @ 20:16 -> 20:16 Dec 28
to users: admin*5 webmaster*4 user*4 test*4 + 9 others
16 from dslb-084-062.otherchg.net @ 21:51 -> 21:52 Dec 28
to users: admin*16
matched 134 failures (not shown) of ssh to existing userids
45 from 127.0.210.12 @ 04:22 -> 04:24 Dec 31 u: root*45
44 from 127.0.45.46 @ 13:52 -> 13:53 Dec 26 u: root*44
22 from 127.0.69.146 @ 15:32 -> 15:32 Dec 28 u: root*22
13 from 127.0.175.156 @ 14:26 -> 14:26 Dec 27
to users: root*12 + 1 others
5 from 127.0.225.154 @ 14:39 -> 14:40 Dec 28
to users: root*3 + 1 others
3 from 127.0.73.182 @ 21:57 -> 21:58 Dec 26 u: root*3
2 from 127.0.102.26 @ 15:30 -> 15:30 Dec 31
to users: root*1 + 1 others
matched 199 failures (not shown) of ssh to non-existent userids
45 from 127.0.191.36 @ 14:29 -> 14:31 Dec 28 #users: 45
44 from 127.0.111.3 @ 03:10 -> 03:12 Dec 31 #users: 36
29 from 127.0.175.156 @ 14:26 -> 14:26 Dec 27 #users: 16
21 from 127.0.69.146 @ 15:32 -> 15:32 Dec 28 #users: 21
14 from 127.0.225.154 @ 14:39 -> 14:40 Dec 28 #users: 7
10 from 127.0.87.251 @ 11:00 -> 11:00 Jan 1 #users: 8
10 from 127.0.185.180 @ 15:50 -> 15:50 Jan 3 #users: 10
8 from 127.0.102.26 @ 15:30 -> 15:31 Dec 31 #users: 8
6 from 127.0.73.182 @ 21:57 -> 21:58 Dec 26 #users: 4
5 from 127.0.30.97 @ 08:14 -> 08:16 Dec 31 #users: 1
4 from 127.0.192.3 @ 13:44 -> 13:45 Dec 31 #users: 1
2 from 127.0.28.31 @ 23:28 -> 23:28 Dec 28 #users: 2
1 from 127.0.102.141 @ 21:05 -> 21:05 Dec 29 #users: 1
# - - - - end
The month-and-day are showing up in this example because the
the input included lines from more than one day. In standard
use it would only see records from a single day, so the date
would not be displayed (it would still have the time-range).
When printing the user-specific information, it only prints
the second line of "to users: " when there was more than one
userid found. If only one userid was found, then it just
tacks something like "u: root*3" on the first line.
If that is still too much, then this is what the script shows
when run with
sum_ftpd_bad=50 sum_sshd_badpws=50 sum_sshd_baduserids=50
# - - - - start:
sinbad.fake.rpi.edu login failures:
Jan 2 17:03:29 sinbad shutdown: reboot by root:
Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive...
matched 49 failures (not shown) of ftp connections
matched 134 failures (not shown) of ssh to existing userids
matched 199 failures (not shown) of ssh to non-existent userids
# - - - - end
--
Garance Alistair Drosehn = gad at gilead.netel.rpi.edu
Senior Systems Programmer or gad at FreeBSD.org
Rensselaer Polytechnic Institute; Troy, NY; USA
More information about the freebsd-current
mailing list