Date: Fri, 17 Mar 2006 11:29:39 -0800 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Panagiotis Astithas <past@ebs.gr> Cc: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>, Matteo Riondato <matteo@freebsd.org>, freebsd-current@freebsd.org, Garance A Drosehn <gad@freebsd.org> Subject: Re: PROPOSAL for periodic/security/800.loginfail Message-ID: <20060317192939.GB1441@flame.pc> In-Reply-To: <441ABD52.9040509@ebs.gr> References: <20060316145826.M96629@atlantis.atlantis.dp.ua> <p06230912c03f933e0d8e@[128.113.24.47]> <20060317030230.G64324@atlantis.atlantis.dp.ua> <p0623091bc0404dc8c646@[128.113.24.47]> <p0623091dc0405dd1885b@[128.113.24.47]> <441ABD52.9040509@ebs.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-03-17 15:44, Panagiotis Astithas <past@ebs.gr> wrote: >Garance A Drosehn wrote: >>Jan 2 17:03:29 sinbad shutdown: reboot by root: >>Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... >>+ >>++ Found 49 failed attempts for ftpd: >>+ 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster >>+ 3 failed ftp attempts were from xdsl-81-173.changed.de, web >>[...] >>+ >>++ Found 134 failed attempts to login to valid userids: >>+ 3 were ssh attempts for root from 127.0.225.154 >>+ 1 were ssh attempts for root from 127.0.102.26 [...] >>+ >>++ Found 199 attempts to login to invalid (non-existing) userids: >>+ 45 were ssh attempts from 127.0.191.36 >>+ 10 were ssh attempts from 127.0.87.251 [...] > > Much better! > Thanks, True. Another good idea is probably to log _successful_ logins. On some Linux systems I work with I have installed something like this: % LOG=/var/log % YESTERDAY=`date -v-1d "+%b %e "` % % catmsgs() { % find ${LOG} -name 'auth.log.*' -mtime -2 | % sort -t. -r -n -k 2,2 | % while read f % do % case $f in % *.gz) zcat -f $f;; % *.bz2) bzcat -f $f;; % esac % done % [ -f ${LOG}/auth.log ] && cat $LOG/auth.log % } % % echo % catmsgs | perl -ne 'if (m/sshd.* Accepted/) { s/.* Accepted (\S+) for (\S+) from (\S+).*/$2 $1 $3/; print $_;}' | % sort | uniq -c | sort -nr | \ % while read count username auth addr _junk ; do % name=`host "${addr}" 2>&1 | sed -e 's/.* //' -e 's/\.$//'` % case ${name} in % *NXDOMAIN*) % name="" % ;; % esac % echo $count $username $auth $addr $name % done | \ % awk 'BEGIN {printf "Users logging in through sshd:\n";} % { % c=$1; # count % u=$2; # username % m=$3; # method of authentication % a=$4; # from-host address % h=$5; # from-host name (may be empty) % if (h == "") { % printf " %s logged in from (%s) using %s: %d times\n",u,a,m,c; % } else { % printf " %s logged in from %s (%s) using %s: %d times\n",u,h,a,m,c; % } % }' % echo The output looks similarly short with Garance's script: % [root@flame /root]# sh sshd.sh % % Users logging in through sshd: % keramida logged in from (10.0.0.1) using keyboard-interactive/pam: 14 times % keramida logged in from (10.6.0.170) using keyboard-interactive/pam: 8 times % keramida logged in from (10.6.0.130) using publickey: 6 times % keramida logged in from (10.6.0.130) using keyboard-interactive/pam: 3 times % keramida logged in from (10.6.0.82) using keyboard-interactive/pam: 1 times % keramida logged in from (10.6.0.80) using keyboard-interactive/pam: 1 times % If this looks interesting for our periodic security checks, I can definitely convert it to use awk instead of Perl and integrate it with the existing scripts.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060317192939.GB1441>