This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: audit log\\\'s
- From: René Berber <rberber at prodigy dot net dot mx>
- To: cygwin at cygwin dot com
- Date: Thu, 10 Nov 2005 11:16:42 -0600
- Subject: Re: audit log\\\'s
- Openpgp: url=ldap://keyserver.pgp.com
- References: <43733e2daa4b36.07765730@sarenet.es>
degrem03 wrote:
> Thanks René.
You're welcome.
> The problem that we have is that on the Windows Event Application list, we received many messages like that:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: NOUSER
> Domain:
> Logon Type: 2
> Logon Process: Advapi
> Authentification Package: Microsoft_authentification_package
> Eventid: 529
This is probably the same situation as the example I showed: somebody is using a
"dumb" program for trying to break into an unsecured system. They usually scan
the internet to see who has port 22 active and then send a list of user names
and passwords in a "brute force" attempt to break in.
That's the reason why in /usr/share/doc/Cygwin/inetutils-1.3.2.README there is a
recomendation to delete user guest from /etc/password or disable it using
Windows user administration; that recommendation is for ftp/telnet/rlogin, I
don't think sshd allows empty passwords.
> It is for that, that we want to know more information about these events and we think taht perhaps we could use other tool in cygwin.
>
> We use cygwin as server SSH.
I don't think there is any tool to analyze Windows events.
The only information I find usefull is the IP address of the attacker, which I
could add to a firewall rule to stop him from creating those hundreds of events
(and a possible DoS attack). I haven't done this on Windows or for sshd, but if
you change sshd to log using syslog then you could use any log-watcher tool that
works on Unix.
Regards.
--
René Berber
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/