At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote: > >But the goal that I'm really driving for here is to provide >a script which can summarize some types of login-failure >records, particularly the ones caused by brute-force >password-guessing attacks. This script implements three >options which implement such summaries. > > sum_ftpd_bad > sum_sshd_badpws > sum_sshd_baduserids Here is an example of running the script with all three of those options turned on (with some names changed to protect both the innocent and the guilty, which is why there seem to be a bizzare collection of hosts coming from the 127.0.* block...). This is from an auth.log containing activity for December 24th to January 3rd. First, imagine a standard message with 382 login-failure messages in it. Then imagine if you got the following instead of that (and I could easily condense the list of ftp failures some more). Which is easier to deal with? Jan 2 17:03:29 sinbad shutdown: reboot by root: Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... + ++ Found 49 failed attempts for ftpd: + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster + 3 failed ftp attempts were from xdsl-81-173.changed.de, web + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase + 1 failed ftp attempts were from xdsl-81-173.changed.de, backup + 5 failed ftp attempts were from xdsl-81-173.changed.de, admin + 1 failed ftp attempts were from xdsl-81-173.changed.de, oracle8 + 2 failed ftp attempts were from xdsl-81-173.changed.de, oracle + 4 failed ftp attempts were from xdsl-81-173.changed.de, test + 2 failed ftp attempts were from xdsl-81-173.changed.de, informix + 3 failed ftp attempts were from xdsl-81-173.changed.de, administrator + 4 failed ftp attempts were from xdsl-81-173.changed.de, user + 1 failed ftp attempts were from xdsl-81-173.changed.de, lizdy + 1 failed ftp attempts were from xdsl-81-173.changed.de, anyone + ++ Found 134 failed attempts to login to valid userids: + 3 were ssh attempts for root from 127.0.225.154 + 1 were ssh attempts for root from 127.0.102.26 + 44 were ssh attempts for root from 127.0.45.46 + 12 were ssh attempts for root from 127.0.175.156 + 22 were ssh attempts for root from 127.0.69.146 + 2 were ssh attempts for www from 127.0.225.154 + 1 were ssh attempts for ftp from 127.0.175.156 + 1 were ssh attempts for ftp from 127.0.102.26 + 3 were ssh attempts for root from 127.0.73.182 + 45 were ssh attempts for root from 127.0.210.12 + ++ Found 199 attempts to login to invalid (non-existing) userids: + 45 were ssh attempts from 127.0.191.36 + 10 were ssh attempts from 127.0.87.251 + 14 were ssh attempts from 127.0.225.154 + 8 were ssh attempts from 127.0.102.26 + 1 were ssh attempts from 127.0.102.141 + 2 were ssh attempts from 127.0.28.31 + 29 were ssh attempts from 127.0.175.156 + 4 were ssh attempts from 127.0.192.3 + 21 were ssh attempts from 127.0.69.146 + 44 were ssh attempts from 127.0.111.3 + 10 were ssh attempts from 127.0.185.180 + 5 were ssh attempts from 127.0.30.97 + 6 were ssh attempts from 127.0.73.182 -- Garance Alistair Drosehn = gad_at_gilead.netel.rpi.edu Senior Systems Programmer or gad_at_FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USAReceived on Fri Mar 17 2006 - 12:01:42 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC