In message <441ABD52.9040509_at_ebs.gr>, Panagiotis Astithas writes: >> First, imagine a standard message with 382 login-failure >> messages in it. Then imagine if you got the following >> instead of that (and I could easily condense the list of >> ftp failures some more). Which is easier to deal with? Yes, absolutely. But I would advice a bit of data-analysis here. For instance: >> ++ Found 49 failed attempts for ftpd: >> + 4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster >> + 3 failed ftp attempts were from xdsl-81-173.changed.de, web >> + 16 failed ftp attempts were from dslb-084-062.otherchg.net, admin >> + 2 failed ftp attempts were from xdsl-81-173.changed.de, sybase >> [...] The crucial information to people here is not which logins have been attempted as much as where the attempts came from, so I would prefer instead something like: failed ftp attempts: 33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...) 16 from dslb-084-062.otherchg.net, (admin) Would be more compact and sufficient for most people. Notice the "..." in the second line, I actually mean that: show the top three login names and use "..." to indcate there are more. Some attempts I see use a dictionary of usernames, and they would generate thousands of lines in your scenario and only one in the above format. >> ++ Found 199 attempts to login to invalid (non-existing) userids: >> + 45 were ssh attempts from 127.0.191.36 >> + 10 were ssh attempts from 127.0.87.251 >> + 14 were ssh attempts from 127.0.225.154 >> + 8 were ssh attempts from 127.0.102.26 >> + 1 were ssh attempts from 127.0.102.141 >> + 2 were ssh attempts from 127.0.28.31 >> + 29 were ssh attempts from 127.0.175.156 >> + 4 were ssh attempts from 127.0.192.3 Sort these after number of attempts. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk_at_FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.Received on Fri Mar 17 2006 - 13:00:55 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC