Re: PROPOSAL for periodic/security/800.loginfail

From: Garance A Drosehn <gad_at_FreeBSD.org>
Date: Fri, 17 Mar 2006 09:17:17 -0500
At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote:
>
>But I would advice a bit of data-analysis here.
>
>For instance:
>>>  ++ Found 49 failed attempts for ftpd:
>>>  +      4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
>>>  +      3 failed ftp attempts were from xdsl-81-173.changed.de, web
>>>  +     16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
>>>  +      2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
>>>  [...]
>
>The crucial information to people here is not which
>logins have been attempted as much as where the
>attempts came from, so I would prefer instead
>something like:
>
>failed ftp attempts:
>     33 from xdsl-81-173.changed.de, (webmaster, web, sybase ...)
>     16 from dslb-084-062.otherchg.net, (admin)
>
>Would be more compact and sufficient for most people.
>
>Notice the "..." in the second line, I actually mean
>that:  show the top three login names and use "..." to
>indcate there are more.

Sounds very good.  I will do that.  (well, I may not
get to it until tomorrow, but I will do it...)

>
>>>  ++ Found 199 attempts to login to invalid (non-existing) userids:
>>>  +     45 were ssh attempts from 127.0.191.36
>>>  +     10 were ssh attempts from 127.0.87.251
>>>  +     14 were ssh attempts from 127.0.225.154
>>>  +      8 were ssh attempts from 127.0.102.26
>>>  +      1 were ssh attempts from 127.0.102.141
>>>  +      2 were ssh attempts from 127.0.28.31
>>>  +     29 were ssh attempts from 127.0.175.156
>>>  +      4 were ssh attempts from 127.0.192.3
>
>Sort these after number of attempts.

I have to admit is the first awk script I've written in
more than a decade, so I am quite rusty with it.  Last
night I made a quick attempt to figure out how to sort
values out of an associative array, but did not come
across any sort function provided by nawk itself.  I like
the idea of sorting, I just haven't figured out how to get
nawk to do it yet...

If I can figure that out, I'll do that too.  Sort by
number-of-attempts, or sort by IP-address of attacker?

-- 
Garance Alistair Drosehn     =      gad_at_gilead.netel.rpi.edu
Senior Systems Programmer               or   gad_at_FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA
Received on Fri Mar 17 2006 - 13:17:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC