Date: Fri, 17 Mar 2006 07:51:13 -0500 From: Garance A Drosehn <gad@FreeBSD.org> To: freebsd-current@FreeBSD.org Cc: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>, Matteo Riondato <matteo@FreeBSD.org> Subject: Re: PROPOSAL for periodic/security/800.loginfail Message-ID: <p0623091dc0405dd1885b@[128.113.24.47]> In-Reply-To: <p0623091bc0404dc8c646@[128.113.24.47]> References: <20060316145826.M96629@atlantis.atlantis.dp.ua> <p06230912c03f933e0d8e@[128.113.24.47]> <20060317030230.G64324@atlantis.atlantis.dp.ua> <p0623091bc0404dc8c646@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote: > >But the goal that I'm really driving for here is to provide >a script which can summarize some types of login-failure >records, particularly the ones caused by brute-force >password-guessing attacks. This script implements three >options which implement such summaries. > > sum_ftpd_bad > sum_sshd_badpws > sum_sshd_baduserids Here is an example of running the script with all three of those options turned on (with some names changed to protect both the innocent and the guilty, which is why there seem to be a bizzare collection of hosts coming from the 127.0.* block...). This is from an auth.log containing activity for December 24th to January 3rd. First, imagine a standard message with 382 login-failure messages in it. Then imagine if you got the following instead of that (and I could easily condense the list of ftp failures some more). Which is easier to deal with? Jan 2 17:03:29 sinbad shutdown: reboot by root: Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... + ++ Found 49 failed attempts for ftpd: + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster + 3 failed ftp attempts were from xdsl-81-173.changed.de, web + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase + 1 failed ftp attempts were from xdsl-81-173.changed.de, backup + 5 failed ftp attempts were from xdsl-81-173.changed.de, admin + 1 failed ftp attempts were from xdsl-81-173.changed.de, oracle8 + 2 failed ftp attempts were from xdsl-81-173.changed.de, oracle + 4 failed ftp attempts were from xdsl-81-173.changed.de, test + 2 failed ftp attempts were from xdsl-81-173.changed.de, informix + 3 failed ftp attempts were from xdsl-81-173.changed.de, administrator + 4 failed ftp attempts were from xdsl-81-173.changed.de, user + 1 failed ftp attempts were from xdsl-81-173.changed.de, lizdy + 1 failed ftp attempts were from xdsl-81-173.changed.de, anyone + ++ Found 134 failed attempts to login to valid userids: + 3 were ssh attempts for root from 127.0.225.154 + 1 were ssh attempts for root from 127.0.102.26 + 44 were ssh attempts for root from 127.0.45.46 + 12 were ssh attempts for root from 127.0.175.156 + 22 were ssh attempts for root from 127.0.69.146 + 2 were ssh attempts for www from 127.0.225.154 + 1 were ssh attempts for ftp from 127.0.175.156 + 1 were ssh attempts for ftp from 127.0.102.26 + 3 were ssh attempts for root from 127.0.73.182 + 45 were ssh attempts for root from 127.0.210.12 + ++ Found 199 attempts to login to invalid (non-existing) userids: + 45 were ssh attempts from 127.0.191.36 + 10 were ssh attempts from 127.0.87.251 + 14 were ssh attempts from 127.0.225.154 + 8 were ssh attempts from 127.0.102.26 + 1 were ssh attempts from 127.0.102.141 + 2 were ssh attempts from 127.0.28.31 + 29 were ssh attempts from 127.0.175.156 + 4 were ssh attempts from 127.0.192.3 + 21 were ssh attempts from 127.0.69.146 + 44 were ssh attempts from 127.0.111.3 + 10 were ssh attempts from 127.0.185.180 + 5 were ssh attempts from 127.0.30.97 + 6 were ssh attempts from 127.0.73.182 -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0623091dc0405dd1885b>