degrem03 wrote: > Thanks René.
You're welcome. > The problem that we have is that on the Windows Event Application list, we > received many messages like that: > > Logon Failure: > Reason: Unknown user name or bad password > User Name: NOUSER > Domain: > Logon Type: 2 > Logon Process: Advapi > Authentification Package: Microsoft_authentification_package > Eventid: 529 This is probably the same situation as the example I showed: somebody is using a "dumb" program for trying to break into an unsecured system. They usually scan the internet to see who has port 22 active and then send a list of user names and passwords in a "brute force" attempt to break in. That's the reason why in /usr/share/doc/Cygwin/inetutils-1.3.2.README there is a recomendation to delete user guest from /etc/password or disable it using Windows user administration; that recommendation is for ftp/telnet/rlogin, I don't think sshd allows empty passwords. > It is for that, that we want to know more information about these events and > we think taht perhaps we could use other tool in cygwin. > > We use cygwin as server SSH. I don't think there is any tool to analyze Windows events. The only information I find usefull is the IP address of the attacker, which I could add to a firewall rule to stop him from creating those hundreds of events (and a possible DoS attack). I haven't done this on Windows or for sshd, but if you change sshd to log using syslog then you could use any log-watcher tool that works on Unix. Regards. -- René Berber -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
