DEVHIDE
Login Or Sign up

interpreting the auth.log on a linux system, what qualifies as one login attempt

682 Views Asked by At

Using Python 3.5 i am composing a bit of code to analyze the /var/log/auth.log and discern a few happenings from it. I am on Ubuntu 17.04 with default settings for the output to /var/log/auth.log

I am attempting to quantify a failed login event. However when i inspect the log file. It seems to me that a failed login event is logged multiple times. Is it safe to infer that all the lines below correspond to one failed login attempt as the call goes through the different layers of the system? Or is each line below a separate failed login attempt.

Lines that i am inclined to attribute to one failed login attempt:

Jun 21 20:05:33 node1 sshd[24969]: Failed password for invalid user root from 221.194.47.252 port 43974 ssh2
Jun 21 20:05:38 node1 sshd[24969]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 43974 ssh2]
Jun 21 20:05:38 node1 sshd[24969]: Received disconnect from 221.194.47.252 port 43974:11:  [preauth]
Jun 21 20:05:38 node1 sshd[24969]: Disconnected from 221.194.47.252 port 43974 [preauth]
Jun 21 20:05:38 node1 sshd[24969]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:41 node1 sshd[24971]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:05:41 node1 sshd[24971]: input_userauth_request: invalid user root [preauth]
Jun 21 20:05:42 node1 sshd[24971]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root

More context:

Jun 21 20:05:33 node1 sshd[24969]: Failed password for invalid user root from 221.194.47.252 port 43974 ssh2
Jun 21 20:05:38 node1 sshd[24969]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 43974 ssh2]
Jun 21 20:05:38 node1 sshd[24969]: Received disconnect from 221.194.47.252 port 43974:11:  [preauth]
Jun 21 20:05:38 node1 sshd[24969]: Disconnected from 221.194.47.252 port 43974 [preauth]
Jun 21 20:05:38 node1 sshd[24969]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:41 node1 sshd[24971]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:05:41 node1 sshd[24971]: input_userauth_request: invalid user root [preauth]
Jun 21 20:05:42 node1 sshd[24971]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:44 node1 sshd[24971]: Failed password for invalid user root from 221.194.47.252 port 42071 ssh2
Jun 21 20:05:48 node1 sshd[24971]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 42071 ssh2]
Jun 21 20:05:49 node1 sshd[24971]: Received disconnect from 221.194.47.252 port 42071:11:  [preauth]
Jun 21 20:05:49 node1 sshd[24971]: Disconnected from 221.194.47.252 port 42071 [preauth]
Jun 21 20:05:49 node1 sshd[24971]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:51 node1 sshd[24976]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:05:51 node1 sshd[24976]: input_userauth_request: invalid user root [preauth]
Jun 21 20:05:51 node1 sshd[24976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:54 node1 sshd[24976]: Failed password for invalid user root from 221.194.47.252 port 58648 ssh2
Jun 21 20:05:58 node1 sshd[24976]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 58648 ssh2]
Jun 21 20:05:59 node1 sshd[24976]: Received disconnect from 221.194.47.252 port 58648:11:  [preauth]
Jun 21 20:05:59 node1 sshd[24976]: Disconnected from 221.194.47.252 port 58648 [preauth]
Jun 21 20:05:59 node1 sshd[24976]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:06:02 node1 sshd[24980]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:06:02 node1 sshd[24980]: input_userauth_request: invalid user root [preauth]
Jun 21 20:06:02 node1 sshd[24980]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root

Should i go by the pid of the sshd process to determine one failed login attempt? I can't go by the port since over one connection per port, multiple failed login attempts can occur and i am trying to be as granular as possible in counting failed login attempts for analysis later.

Any other ideas? My next step is to grep the sshd source or pam to see what i can find.

linux security openssh sshd auth.log
Original Q&A
0

There are 0 best solutions below

Related Questions in LINUX

Related Questions in SECURITY

Related Questions in OPENSSH

Related Questions in SSHD

Related Questions in AUTH.LOG

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.