Completely agreed....I don't want to know the passwords. What I'd like
to see is, over the long term, are these scans making more attempts at
non-system, first-name valid accounts that do exist than random chance
should allow, and a clear indication that more attempts at valid
accounts are made than for non-valid accounts. Once that's sorted out,
we can decide if we really have a problem.
Perhaps a small script as part of the prerotate section of logrotate of
auth.log would do it...something like:
prerotate
grep 'Failed password' auth.log|awk '{print $9}' >> /tmp/sshscan.log
endscript
(with no rotation of /tmp/sshscan.log happening) ($9 may be different on
some machines)
Leaving that in place for a few weeks on an oft-scanned system should
give us a list of accounts that have been attempted...then all that
needs to happen is a 'uniq -c' of /tmp/sshscan.log and then determining
whether the non-system accounts most often hit are valid or not.
If that makes sense to you (seeking input here...there may be a flaw I'm
not seeing), I'll put it in place.
Cheers,
Greg
On Tue, 2005-06-21 at 11:58 -0400, Justin Pryzby wrote:
> Sure, but what do you plan to do with the data? Rather, how do you
> plan to analyze it? It seems to me that this could be done without
> knowing what passwords are tried.
>
> The data lined up pretty well last night, when I discovered the first
> ssh scan; I had to remove some blank lines from /etc/ssh-log (probably
> from my own testing), remove my own password from the bottom (I was
> scp'ing files from the machine), and remove some other cruft I had
> left behind (from testing that password authentication is forced).
>
> But it will probably not line up nearly as well once, for example,
> auth.log gets rotated, or I log in from an uncommon machine which
> doesn't have RSA access, and I mistype my password.
>
> > > Justin
>
> On Mon, Jun 20, 2005 at 10:15:18PM -0700, Greg Webster wrote:
> > Hi Justin,
> >
> > Part of what I'd like to (dis)prove is that they are making a 'second
> > run' from this or another machine to hit that accounts that it believes
> > are valid...any chance you could keep your testing up for a while?
> >
> > On Mon, 2005-20-06 at 23:15 -0400, Justin Pryzby wrote:
> > > Included is a list of usernames and corresponding passwords used in an
> > > ssh scan I observed. It indicates to me that it is trying
> > > statistically common (aka dumb) passwords on common usernames; I see
> > > no evidence of an attempt to measure timings to discover valid
> > > accounts.
> > >
> > > Starred accounts are invalid users.
--
Greg Webster - System Administrator
-------------------------------------
intouch.ca gastips.com epredictor.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
