At 3:07 AM +0200 3/17/06, Dmitry Pryanishnikov wrote: > > I understand current intent as "to report login failures", >and I think that refused by the sshd connection attempts >could be treated as such. OTOH, SSH.COM's sshd2 isn't the >part of the base OS, that's why I'm not sure whether such >an addition is "politically correct" (I'm sure it's useful >though). I have a sample nawk script that people could try. I'm sure that it needs additional work before everyone is comfortable with it. I'm not even sure that I'm completely happy with it yet, but this script certainly shows the basic idea of what I would eventually like to commit. For anyone who is interested, you can pick it up at: http://people.freebsd.org/~gad/filters/loginfail.nawk this is not a replacement for the security/800.loginfail script, but it is a filter which *that* script would run to generate the "login failures:" section of the daily security message. There are about 8,742 arbitrary decisions embedded in this script, so I do not expect this to be the sole option. I could also commit a simpler version of this in addition to this feature-full one, and then make it easy for the sysadmin to configure which version they want (or to specify some other filter script of their own choosing). But for testing this initial version, just dump whatever lines you have in /var/log/authlog* files through this script. E.g.: cat /var/log/auth.log | nawk -f loginfail.nawk or bzcat /var/log/auth.log.0.bz2 | nawk -f loginfail.nawk Well, that is probably going to produce a lot of output... To mimic what 800.loginfail would do (which is to say, to limit the report to records from "yesterday"), type: yesterday=`date -v-1d "+%b %e "` cat /var/log/auth.log | grep -ia "^$yesterday" | \ nawk -f loginfail.nawk That *should* do about the same as the recent commit wanted to do, but without printing so many (effectively) duplicate messages for some failures from sshd. It should also be much better at not printing out false-positives due to matching the arbitrary strings which show up due to hostnames or userids. It also prints out a few lines that this check hasn't printed before (such as records of 'shutdown' reboots). Not much new, at least not in my testing on my systems... But the goal that I'm really driving for here is to provide a script which can summarize some types of login-failure records, particularly the ones caused by brute-force password-guessing attacks. This script implements three options which implement such summaries. sum_ftpd_bad sum_sshd_badpws sum_sshd_baduserids To see these options in action, you need to specify them after specifying the script-name to awk. So: cat /var/log/auth.log | \ nawk -f loginfail.nawk sum_sshd_badpws=1 or cat /var/log/auth.log | nawk -f loginfail.nawk \ sum_ftpd_bad=1 sum_sshd_badpws=1 \ sum_sshd_baduserids=1 -- Garance Alistair Drosehn = gad_at_gilead.netel.rpi.edu Senior Systems Programmer or gad_at_FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USAReceived on Fri Mar 17 2006 - 11:28:58 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC