Re: PROPOSAL for periodic/security/800.loginfail

From: Garance A Drosehn <gad_at_FreeBSD.org> Date: Sun, 19 Mar 2006 08:28:37 -0500 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC

At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote:
>
>Garance wrote:
>  >>
>  >>  First, imagine a standard message with 382 login-failure
>>>   messages in it.  Then imagine if you got the following
>>>   instead of that (and I could easily condense the list of
>>>   ftp failures some more).  Which is easier to deal with?
>
>Yes, absolutely.
>
>But I would advice a bit of data-analysis here.
>
>For instance:
>>>  ++ Found 49 failed attempts for ftpd:
>>>  +      4 failed ftp attempts were from xdsl-81-173.changed.de, webmaster
>>>  +      3 failed ftp attempts were from xdsl-81-173.changed.de, web
>>>  +     16 failed ftp attempts were from dslb-084-062.otherchg.net, admin
>>>  +      2 failed ftp attempts were from xdsl-81-173.changed.de, sybase
>  >> [...]

The crowd asked for fewer lines...
     The crowd asked for more data-analysis...
         Now the script can deliver it!
                "AND THE CROWD GOES WILD!"
        [bullwinkle crowd] yea... [/bullwinkle crowd]

So... five cans of Jolt Blue later, I have a new version
of the script available at:
http://people.freebsd.org/~gad/filters/loginfail-V2.nawk

In this version, each of the recognized categories of messages,
there is an option to set a summary level.

The higher that summary_level value is set to, the less
information will be printed for the matching category.
The values defined so far are:
      0 = no summary
      1 = print a summary, while still printing all the lines
      2 = do not print any of the lines matched in the category,
          and print the full summary.
      5 = print the summary for the category, without any
          userid-specific information.
      50 = print nothing but the summary-header for the category.

Here is the output for the same list of records I used in
my previous example.  Note that the summary now also shows
the range-of-time that the attacks were happening.
This is what it shows when run with
       sum_ftpd_bad=2 sum_sshd_badpws=2 sum_sshd_baduserids=5

#   -   -   -   - start:
sinbad.fake.rpi.edu login failures:
Jan  2 17:03:29 sinbad shutdown: reboot by root:
Jan  2 17:28:26 sinbad shutdown: power-down by root: remove drive...
matched 49 failures (not shown) of ftp connections
      33 from xdsl-81-173.changed.de     _at_ 20:16 -> 20:16 Dec 28
         to users: admin*5 webmaster*4 user*4 test*4 + 9 others
      16 from dslb-084-062.otherchg.net  _at_ 21:51 -> 21:52 Dec 28
         to users: admin*16
matched 134 failures (not shown) of ssh to existing userids
      45 from 127.0.210.12               _at_ 04:22 -> 04:24 Dec 31   u: root*45
      44 from 127.0.45.46                _at_ 13:52 -> 13:53 Dec 26   u: root*44
      22 from 127.0.69.146               _at_ 15:32 -> 15:32 Dec 28   u: root*22
      13 from 127.0.175.156              _at_ 14:26 -> 14:26 Dec 27
         to users: root*12 + 1 others
       5 from 127.0.225.154              _at_ 14:39 -> 14:40 Dec 28
         to users: root*3 + 1 others
       3 from 127.0.73.182               _at_ 21:57 -> 21:58 Dec 26   u: root*3
       2 from 127.0.102.26               _at_ 15:30 -> 15:30 Dec 31
         to users: root*1 + 1 others
matched 199 failures (not shown) of ssh to non-existent userids
      45 from 127.0.191.36               _at_ 14:29 -> 14:31 Dec 28   #users: 45
      44 from 127.0.111.3                _at_ 03:10 -> 03:12 Dec 31   #users: 36
      29 from 127.0.175.156              _at_ 14:26 -> 14:26 Dec 27   #users: 16
      21 from 127.0.69.146               _at_ 15:32 -> 15:32 Dec 28   #users: 21
      14 from 127.0.225.154              _at_ 14:39 -> 14:40 Dec 28   #users: 7
      10 from 127.0.87.251               _at_ 11:00 -> 11:00 Jan  1   #users: 8
      10 from 127.0.185.180              _at_ 15:50 -> 15:50 Jan  3   #users: 10
       8 from 127.0.102.26               _at_ 15:30 -> 15:31 Dec 31   #users: 8
       6 from 127.0.73.182               _at_ 21:57 -> 21:58 Dec 26   #users: 4
       5 from 127.0.30.97                _at_ 08:14 -> 08:16 Dec 31   #users: 1
       4 from 127.0.192.3                _at_ 13:44 -> 13:45 Dec 31   #users: 1
       2 from 127.0.28.31                _at_ 23:28 -> 23:28 Dec 28   #users: 2
       1 from 127.0.102.141              _at_ 21:05 -> 21:05 Dec 29   #users: 1
#   -   -   -   - end

The month-and-day are showing up in this example because the
the input included lines from more than one day.  In standard
use it would only see records from a single day, so the date
would not be displayed (it would still have the time-range).
When printing the user-specific information, it only prints
the second line of "to users: " when there was more than one
userid found.  If only one userid was found, then it just
tacks something like "u: root*3" on the first line.

If that is still too much, then this is what the script shows
when run with
       sum_ftpd_bad=50 sum_sshd_badpws=50 sum_sshd_baduserids=50

#   -   -   -   - start:
sinbad.fake.rpi.edu login failures:
Jan  2 17:03:29 sinbad shutdown: reboot by root:
Jan  2 17:28:26 sinbad shutdown: power-down by root: remove drive...
matched 49 failures (not shown) of ftp connections
matched 134 failures (not shown) of ssh to existing userids
matched 199 failures (not shown) of ssh to non-existent userids
#   -   -   -   - end

-- 
Garance Alistair Drosehn     =      gad_at_gilead.netel.rpi.edu
Senior Systems Programmer               or   gad_at_FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA