Re: random usernames in attempts to break in to my machine?
Joe Pfeiffer <pfeiffer@cs.nmsu.edu> writes:
> This isn't really debian-specific, but I don't know a better place to
> ask... recently, I've been having servers make a large number of
> attempts to access my mail host using what appear to be random strings
> as usernames -- it looks like this:
>
> Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): check pass; user unknown
> Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> Apr 4 03:04:33 snowball saslauthd[1179]: : auth failure: [user=1b391vovbh.fsf@pfeifferfamily.net] [service=] [realm=] [mech=pam] [reason=PAM auth error]
>
> They all have the same form: <something random>.fsf@pfeifferfamily.net
>
> I'm trying to understand the point; it's not like there's any chance any
> of those usernames will be valid. This isn't they usual attempts using
> usernames like root, admin, test1, scan... those I understand.
>
> So, anybody have any ideas what's up here?
Hellow Joe,
#+BEGIN_SRC python
# -*- coding: utf-8 -*-
import re
p = re.compile("\
[1-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]")
FPATH = "/var/log/auth.log" # you can edit here
f = open(FPATH, "r")
data = f.read()
f.close()
result = p.findall(data) # <class 'list'>
if __name__ == "__main__":
print(result)
print(len(result))
#+END_SRC
It is simple python3 script, first you could gather all ipv4 from
/var/log/auth.log, and then you can control traffic by other software
such as fail2ban, i think.
NOTES: all risk is your responsiblity ;;;
Sincerely, Linux fan Byung-Hee
--
^고맙습니다 _白衣從軍_ 감사합니다_^))//
Reply to: