Joe Pfeiffer <[email protected]> writes:
> This isn't really debian-specific, but I don't know a better place to
> ask... recently, I've been having servers make a large number of
> attempts to access my mail host using what appear to be random strings
> as usernames -- it looks like this:
>
> Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): check pass; user
> unknown
> Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=
> Apr 4 03:04:33 snowball saslauthd[1179]: : auth failure:
> [[email protected]] [service=] [realm=] [mech=pam]
> [reason=PAM auth error]
>
> They all have the same form: <something random>[email protected]
>
> I'm trying to understand the point; it's not like there's any chance any
> of those usernames will be valid. This isn't they usual attempts using
> usernames like root, admin, test1, scan... those I understand.
>
> So, anybody have any ideas what's up here?
Hellow Joe,
#+BEGIN_SRC python
# -*- coding: utf-8 -*-
import re
p = re.compile("\
[1-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]\.[0-9]?[0-9]?[0-9]")
FPATH = "/var/log/auth.log" # you can edit here
f = open(FPATH, "r")
data = f.read()
f.close()
result = p.findall(data) # <class 'list'>
if __name__ == "__main__":
print(result)
print(len(result))
#+END_SRC
It is simple python3 script, first you could gather all ipv4 from
/var/log/auth.log, and then you can control traffic by other software
such as fail2ban, i think.
NOTES: all risk is your responsiblity ;;;
Sincerely, Linux fan Byung-Hee
--
^고맙습니다 _白衣從軍_ 감사합니다_^))//
