Mail Archives: cygwin/2005/11/10/12:23:34

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2005/11/10/12:23:34

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

To: cygwin AT cygwin DOT com

From: =?ISO-8859-1?Q?Ren=E9_Berber?= <rberber AT prodigy DOT net DOT mx>

Subject: Re: audit log\\\'s

Date: Thu, 10 Nov 2005 11:16:42 -0600

Lines: 54

Message-ID: <dkvv9p$fmu$1@sea.gmane.org>

References: <43733e2daa4b36 DOT 07765730 AT sarenet DOT es>

Mime-Version: 1.0

User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

In-Reply-To: <43733e2daa4b36.07765730@sarenet.es>

OpenPGP: url=ldap://keyserver.pgp.com

X-IsSubscribed: yes

degrem03 wrote:

> Thanks Ren=E9.

You're welcome.

> The problem that we have is that on the Windows Event Application list, w=
e received many messages like that:
>=20
> Logon Failure:
>         Reason: Unknown user name or bad password
>          User Name: NOUSER
>          Domain:
>          Logon Type: 2
>          Logon Process: Advapi
>          Authentification Package: Microsoft_authentification_package
> Eventid: 529

This is probably the same situation as the example I showed: somebody is us=
ing a
"dumb" program for trying to break into an unsecured system.  They usually =
scan
the internet to see who has port 22 active and then send a list of user nam=
es
and passwords in a "brute force" attempt to break in.

That's the reason why in /usr/share/doc/Cygwin/inetutils-1.3.2.README there=
 is a
recomendation to delete user guest from /etc/password or disable it using
Windows user administration; that recommendation is for ftp/telnet/rlogin, I
don't think sshd allows empty passwords.

> It is for that, that we want to know more information about these events =
and we think taht perhaps we could use other tool in cygwin.
>=20
> We use cygwin as server SSH.

I don't think there is any tool to analyze Windows events.

The only information I find usefull is the IP address of the attacker, whic=
h I
could add to a firewall rule to stop him from creating those hundreds of ev=
ents
(and a possible DoS attack).  I haven't done this on Windows or for sshd, b=
ut if
you change sshd to log using syslog then you could use any log-watcher tool=
 that
works on Unix.

Regards.
--=20
Ren=E9 Berber

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
To:	cygwin AT cygwin DOT com
From:	=?ISO-8859-1?Q?Ren=E9_Berber?= <rberber AT prodigy DOT net DOT mx>
Subject:	Re: audit log\\\'s
Date:	Thu, 10 Nov 2005 11:16:42 -0600
Lines:	54
Message-ID:	<dkvv9p$fmu$1@sea.gmane.org>
References:	<43733e2daa4b36 DOT 07765730 AT sarenet DOT es>
Mime-Version:	1.0
User-Agent:	Mozilla Thunderbird 1.0.2 (Windows/20050317)
In-Reply-To:	<43733e2daa4b36.07765730@sarenet.es>
OpenPGP:	url=ldap://keyserver.pgp.com
X-IsSubscribed:	yes