Garance A Drosehn wrote: > At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote: >> >> But the goal that I'm really driving for here is to provide >> a script which can summarize some types of login-failure >> records, particularly the ones caused by brute-force >> password-guessing attacks. This script implements three >> options which implement such summaries. >> >> sum_ftpd_bad >> sum_sshd_badpws >> sum_sshd_baduserids > > Here is an example of running the script with all three > of those options turned on (with some names changed to > protect both the innocent and the guilty, which is why > there seem to be a bizzare collection of hosts coming > from the 127.0.* block...). This is from an auth.log > containing activity for December 24th to January 3rd. > > First, imagine a standard message with 382 login-failure > messages in it. Then imagine if you got the following > instead of that (and I could easily condense the list of > ftp failures some more). Which is easier to deal with? > > > Jan 2 17:03:29 sinbad shutdown: reboot by root: > Jan 2 17:28:26 sinbad shutdown: power-down by root: remove drive... > + > ++ Found 49 failed attempts for ftpd: > + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster > + 3 failed ftp attempts were from xdsl-81-173.changed.de, web > + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin > + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase > + 1 failed ftp attempts were from xdsl-81-173.changed.de, backup > + 5 failed ftp attempts were from xdsl-81-173.changed.de, admin > + 1 failed ftp attempts were from xdsl-81-173.changed.de, oracle8 > + 2 failed ftp attempts were from xdsl-81-173.changed.de, oracle > + 4 failed ftp attempts were from xdsl-81-173.changed.de, test > + 2 failed ftp attempts were from xdsl-81-173.changed.de, informix > + 3 failed ftp attempts were from xdsl-81-173.changed.de, > administrator > + 4 failed ftp attempts were from xdsl-81-173.changed.de, user > + 1 failed ftp attempts were from xdsl-81-173.changed.de, lizdy > + 1 failed ftp attempts were from xdsl-81-173.changed.de, anyone > + > ++ Found 134 failed attempts to login to valid userids: > + 3 were ssh attempts for root from 127.0.225.154 > + 1 were ssh attempts for root from 127.0.102.26 > + 44 were ssh attempts for root from 127.0.45.46 > + 12 were ssh attempts for root from 127.0.175.156 > + 22 were ssh attempts for root from 127.0.69.146 > + 2 were ssh attempts for www from 127.0.225.154 > + 1 were ssh attempts for ftp from 127.0.175.156 > + 1 were ssh attempts for ftp from 127.0.102.26 > + 3 were ssh attempts for root from 127.0.73.182 > + 45 were ssh attempts for root from 127.0.210.12 > + > ++ Found 199 attempts to login to invalid (non-existing) userids: > + 45 were ssh attempts from 127.0.191.36 > + 10 were ssh attempts from 127.0.87.251 > + 14 were ssh attempts from 127.0.225.154 > + 8 were ssh attempts from 127.0.102.26 > + 1 were ssh attempts from 127.0.102.141 > + 2 were ssh attempts from 127.0.28.31 > + 29 were ssh attempts from 127.0.175.156 > + 4 were ssh attempts from 127.0.192.3 > + 21 were ssh attempts from 127.0.69.146 > + 44 were ssh attempts from 127.0.111.3 > + 10 were ssh attempts from 127.0.185.180 > + 5 were ssh attempts from 127.0.30.97 > + 6 were ssh attempts from 127.0.73.182 Much better! Thanks, PanagiotisReceived on Fri Mar 17 2006 - 12:45:09 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC