Re: PROPOSAL for periodic/security/800.loginfail

From: Poul-Henning Kamp <phk_at_phk.freebsd.dk>
Date: Fri, 17 Mar 2006 15:00:12 +0100
In message <441ABD52.9040509_at_ebs.gr>, Panagiotis Astithas writes:

>> First, imagine a standard message with 382 login-failure
>> messages in it.  Then imagine if you got the following
>> instead of that (and I could easily condense the list of
>> ftp failures some more).  Which is easier to deal with?

Yes, absolutely.

But I would advice a bit of data-analysis here.

For instance:
>> ++ Found 49 failed attempts for ftpd:
>> +      4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
>> +      3 failed ftp attempts were from xdsl-81-173.changed.de, web
>> +     16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
>> +      2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
>> [...]

The crucial information to people here is not which
logins have been attempted as much as where the attempts came from,
so I would prefer instead something like:

failed ftp attempts:
    33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...)
    16 from dslb-084-062.otherchg.net, (admin)

Would be more compact and sufficient for most people.

Notice the "..." in the second line, I actually mean that:  show
the top three login names and use "..." to indcate there are more.

Some attempts I see use a dictionary of usernames, and they would
generate thousands of lines in your scenario and only one in the
above format.

>> ++ Found 199 attempts to login to invalid (non-existing) userids:
>> +     45 were ssh attempts from 127.0.191.36
>> +     10 were ssh attempts from 127.0.87.251
>> +     14 were ssh attempts from 127.0.225.154
>> +      8 were ssh attempts from 127.0.102.26
>> +      1 were ssh attempts from 127.0.102.141
>> +      2 were ssh attempts from 127.0.28.31
>> +     29 were ssh attempts from 127.0.175.156
>> +      4 were ssh attempts from 127.0.192.3

Sort these after number of attempts.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk_at_FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Fri Mar 17 2006 - 13:00:55 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC