Re: PROPOSAL for periodic/security/800.loginfail

From: Giorgos Keramidas <keramida_at_ceid.upatras.gr> Date: Fri, 17 Mar 2006 11:29:39 -0800 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC

On 2006-03-17 15:44, Panagiotis Astithas <past_at_ebs.gr> wrote:
>Garance A Drosehn wrote:
>>Jan  2 17:03:29 sinbad shutdown: reboot by root:
>>Jan  2 17:28:26 sinbad shutdown: power-down by root: remove drive...
>>+
>>++ Found 49 failed attempts for ftpd:
>>+      4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
>>+      3 failed ftp attempts were from xdsl-81-173.changed.de, web
>>[...]
>>+
>>++ Found 134 failed attempts to login to valid userids:
>>+      3 were ssh attempts for root from 127.0.225.154
>>+      1 were ssh attempts for root from 127.0.102.26
[...]
>>+
>>++ Found 199 attempts to login to invalid (non-existing) userids:
>>+     45 were ssh attempts from 127.0.191.36
>>+     10 were ssh attempts from 127.0.87.251
[...]
>
> Much better!
> Thanks,

True.  Another good idea is probably to log _successful_ logins.  On
some Linux systems I work with I have installed something like this:

% LOG=/var/log
% YESTERDAY=`date -v-1d "+%b %e "`
%
% catmsgs() {
%         find ${LOG} -name 'auth.log.*' -mtime -2 |
%             sort -t. -r -n -k 2,2 |
%             while read f
%             do
%                 case $f in
%                     *.gz)       zcat -f $f;;
%                     *.bz2)      bzcat -f $f;;
%                 esac
%             done
%         [ -f ${LOG}/auth.log ] && cat $LOG/auth.log
% }
%
% echo
% catmsgs | perl -ne 'if (m/sshd.* Accepted/) { s/.* Accepted (\S+) for (\S+) from (\S+).*/$2 $1 $3/; print $_;}' |
% sort | uniq -c | sort -nr | \
% while read count username auth addr _junk ; do
%         name=`host "${addr}" 2>&1 | sed -e 's/.* //' -e 's/\.$//'`
%         case ${name} in
%         *NXDOMAIN*)
%                 name=""
%                 ;;
%         esac
%         echo $count $username $auth $addr $name
% done | \
% awk 'BEGIN {printf "Users logging in through sshd:\n";}
%      {
%         c=$1;           # count
%         u=$2;           # username
%         m=$3;           # method of authentication
%         a=$4;           # from-host address
%         h=$5;           # from-host name (may be empty)
%         if (h == "") {
%             printf "    %s logged in from (%s) using %s: %d times\n",u,a,m,c;
%         } else {
%             printf "    %s logged in from %s (%s) using %s: %d times\n",u,h,a,m,c;
%         }
%      }'
% echo

The output looks similarly short with Garance's script:

% [root_at_flame /root]# sh sshd.sh
%
% Users logging in through sshd:
%     keramida logged in from (10.0.0.1) using keyboard-interactive/pam: 14 times
%     keramida logged in from (10.6.0.170) using keyboard-interactive/pam: 8 times
%     keramida logged in from (10.6.0.130) using publickey: 6 times
%     keramida logged in from (10.6.0.130) using keyboard-interactive/pam: 3 times
%     keramida logged in from (10.6.0.82) using keyboard-interactive/pam: 1 times
%     keramida logged in from (10.6.0.80) using keyboard-interactive/pam: 1 times
%

If this looks interesting for our periodic security checks, I can
definitely convert it to use awk instead of Perl and integrate it with
the existing scripts.