Re: PROPOSAL for periodic/security/800.loginfail

At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote:

But I would advice a bit of data-analysis here.

For instance:
++ Found 49 failed attempts for ftpd:
+ 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
+ 3 failed ftp attempts were from xdsl-81-173.changed.de, web
+ 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
+ 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
[...]

The crucial information to people here is not which
logins have been attempted as much as where the
attempts came from, so I would prefer instead
something like:

failed ftp attempts:
33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...)
16 from dslb-084-062.otherchg.net, (admin)

Would be more compact and sufficient for most people.

Notice the "..." in the second line, I actually mean
that: show the top three login names and use "..." to
indcate there are more.

Sounds very good. I will do that. (well, I may not
get to it until tomorrow, but I will do it...)


++ Found 199 attempts to login to invalid (non-existing) userids:
+ 45 were ssh attempts from 127.0.191.36
+ 10 were ssh attempts from 127.0.87.251
+ 14 were ssh attempts from 127.0.225.154
+ 8 were ssh attempts from 127.0.102.26
+ 1 were ssh attempts from 127.0.102.141
+ 2 were ssh attempts from 127.0.28.31
+ 29 were ssh attempts from 127.0.175.156
+ 4 were ssh attempts from 127.0.192.3

Sort these after number of attempts.

I have to admit is the first awk script I've written in
more than a decade, so I am quite rusty with it. Last
night I made a quick attempt to figure out how to sort
values out of an associative array, but did not come
across any sort function provided by nawk itself. I like
the idea of sorting, I just haven't figured out how to get
nawk to do it yet...

If I can figure that out, I'll do that too. Sort by
number-of-attempts, or sort by IP-address of attacker?

--
Garance Alistair Drosehn = gad@xxxxxxxxxxxxxxxxxxxx
Senior Systems Programmer or gad@xxxxxxxxxxx
Rensselaer Polytechnic Institute; Troy, NY; USA
_______________________________________________
freebsd-current@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: PROPOSAL for periodic/security/800.loginfail
    ... imagine a standard message with 382 login-failure ... failed ftp attempts were from xdsl-81-173.changed.de, ... were ssh attempts for root from 127.0.102.26 ...
    (freebsd-current)
  • Re: PROPOSAL for periodic/security/800.loginfail
    ... imagine a standard message with 382 login-failure ... failed ftp attempts were from xdsl-81-173.changed.de, ... were ssh attempts for root from 127.0.102.26 ...
    (freebsd-current)
  • Re: PROPOSAL for periodic/security/800.loginfail
    ... + 4 failed ftp attempts were from xdsl-81-173.changed.de, ... 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin ... logins have been attempted as much as where the attempts came from, ... + 45 were ssh attempts from 127.0.191.36 ...
    (freebsd-current)
  • Re: ssh tunneling to bypass web proxy rules
    ... intentionally bypassing security implementations, ... It is neat that you have employees that familiar enough with the network ... But yeah, disable their ssh accounts, if you can, at least. ... If you have any sort of network ...
    (Security-Basics)
  • Re: x-forwarding problem - no window contents
    ... > in the hopes it was some sort of setting I had accidentally triggered ... Does compression on ssh have any effect? ... programs run verrrrry slowwwww without compression (and even then, ...
    (freebsd-questions)