解释linux系统上的auth.log,符合一次登录尝试的条件

时间:2017-09-06 10:06:17

标签: linux security openssh sshd auth.log

使用Python 3.5我正在编写一些代码来分析/var/log/auth.log并从中识别出一些事件。我在Ubuntu 17.04上使用输出到/var/log/auth.log的默认设置

我正在尝试量化失败的登录事件。但是当我检查日志文件时。在我看来,多次登录失败的登录事件。当呼叫通过系统的不同层时,是否可以推断下面的所有行都对应于一次失败的登录尝试?或者每行都是单独的失败登录尝试。

我倾向于归因于一次登录尝试失败的行:

Jun 21 20:05:33 node1 sshd[24969]: Failed password for invalid user root from 221.194.47.252 port 43974 ssh2
Jun 21 20:05:38 node1 sshd[24969]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 43974 ssh2]
Jun 21 20:05:38 node1 sshd[24969]: Received disconnect from 221.194.47.252 port 43974:11:  [preauth]
Jun 21 20:05:38 node1 sshd[24969]: Disconnected from 221.194.47.252 port 43974 [preauth]
Jun 21 20:05:38 node1 sshd[24969]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:41 node1 sshd[24971]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:05:41 node1 sshd[24971]: input_userauth_request: invalid user root [preauth]
Jun 21 20:05:42 node1 sshd[24971]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root

更多背景信息:

Jun 21 20:05:33 node1 sshd[24969]: Failed password for invalid user root from 221.194.47.252 port 43974 ssh2
Jun 21 20:05:38 node1 sshd[24969]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 43974 ssh2]
Jun 21 20:05:38 node1 sshd[24969]: Received disconnect from 221.194.47.252 port 43974:11:  [preauth]
Jun 21 20:05:38 node1 sshd[24969]: Disconnected from 221.194.47.252 port 43974 [preauth]
Jun 21 20:05:38 node1 sshd[24969]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:41 node1 sshd[24971]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:05:41 node1 sshd[24971]: input_userauth_request: invalid user root [preauth]
Jun 21 20:05:42 node1 sshd[24971]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:44 node1 sshd[24971]: Failed password for invalid user root from 221.194.47.252 port 42071 ssh2
Jun 21 20:05:48 node1 sshd[24971]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 42071 ssh2]
Jun 21 20:05:49 node1 sshd[24971]: Received disconnect from 221.194.47.252 port 42071:11:  [preauth]
Jun 21 20:05:49 node1 sshd[24971]: Disconnected from 221.194.47.252 port 42071 [preauth]
Jun 21 20:05:49 node1 sshd[24971]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:51 node1 sshd[24976]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:05:51 node1 sshd[24976]: input_userauth_request: invalid user root [preauth]
Jun 21 20:05:51 node1 sshd[24976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:05:54 node1 sshd[24976]: Failed password for invalid user root from 221.194.47.252 port 58648 ssh2
Jun 21 20:05:58 node1 sshd[24976]: message repeated 2 times: [ Failed password for invalid user root from
221.194.47.252 port 58648 ssh2]
Jun 21 20:05:59 node1 sshd[24976]: Received disconnect from 221.194.47.252 port 58648:11:  [preauth]
Jun 21 20:05:59 node1 sshd[24976]: Disconnected from 221.194.47.252 port 58648 [preauth]
Jun 21 20:05:59 node1 sshd[24976]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root
Jun 21 20:06:02 node1 sshd[24980]: User root from 221.194.47.252 not allowed because none of user's groups are listed
in AllowGroups
Jun 21 20:06:02 node1 sshd[24980]: input_userauth_request: invalid user root [preauth]
Jun 21 20:06:02 node1 sshd[24980]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=221.194.47.252  user=root

我应该通过sshd进程的pid来确定一次失败的登录尝试吗?我不能通过端口,因为每个端口超过一个连接,可能会发生多次失败的登录尝试,并且我试图尽可能精确地计算以后失败的登录尝试进行分析。

还有其他想法吗?我的下一步是grep sshd源码或pam以查看我能找到的内容。

0 个答案:

没有答案
相关问题
最新问题