This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: audit log\\\'s

degrem03 wrote:

> Thanks René.

You're welcome.

> The problem that we have is that on the Windows Event Application list, we received many messages like that:
> Logon Failure:
>         Reason: Unknown user name or bad password
>          User Name: NOUSER
>          Domain:
>          Logon Type: 2
>          Logon Process: Advapi
>          Authentification Package: Microsoft_authentification_package
> Eventid: 529

This is probably the same situation as the example I showed: somebody is using a
"dumb" program for trying to break into an unsecured system.  They usually scan
the internet to see who has port 22 active and then send a list of user names
and passwords in a "brute force" attempt to break in.

That's the reason why in /usr/share/doc/Cygwin/inetutils-1.3.2.README there is a
recomendation to delete user guest from /etc/password or disable it using
Windows user administration; that recommendation is for ftp/telnet/rlogin, I
don't think sshd allows empty passwords.

> It is for that, that we want to know more information about these events and we think taht perhaps we could use other tool in cygwin.
> We use cygwin as server SSH.

I don't think there is any tool to analyze Windows events.

The only information I find usefull is the IP address of the attacker, which I
could add to a firewall rule to stop him from creating those hundreds of events
(and a possible DoS attack).  I haven't done this on Windows or for sshd, but if
you change sshd to log using syslog then you could use any log-watcher tool that
works on Unix.

René Berber

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]