With that said, the two most recent attempts seem to have both subsided. I haven't gone back far enough through my logs yet to figure out exactly when each one ended.
- The first one that started was the "James" attempt. Hundreds of systems per day trying to log in to my system under the name James. Too bad no such user exists on my system. In one 24 hour period I logged over 800 attempts from over 200 unique addresses. This attempt seems to have ended sooner, as well; though I'm not sure exactly when.
- The usual "phone book" attempt. I've mentioned this before, where a botnet (or something similar to it) will go through a long list of common login names, from a to z. As usual the attempt gave up well before it made it all the way through the alphabet; this time the last user I saw attempted was "chanton". Again over 100 systems involved in rapid succession; I will have to go back through old log files to figure out the rate.
One of these days I'll work on my security scripts (especially now that I finally got around to setting up a database backend to store the data) and mine this data. Each line in my messages file looks something like this:
Apr 19 18:22:16 our-freebsd-box sshd: error: PAM: authentication error for illegal user chanton from 188.8.131.52
And from that there are of course several useful bits of information:
- Attempted username
- IP address
Which could be thought of as the "raw data".
I figure once I parse through a large number of lines I could derive some additional information on the nature of the attempt(s):
- Attempts per hour (or minute or day)
- Attempts per name
- Attempts per IP address
- Attempts per IP range or network
Which would reasonably be called the "meta-data".
From this I could mine a little further and get some additional bits of useful information:
- Frequency per name
- Frequency per address
- Frequency per network
Which could presumably be the "meta-meta-data".
And here I thought I almost managed to escape having to learn SQL.
Obviously a useful output from all this (aside from the data described) would be to automatically write an email to the administrators of the relevant networks, with the information on what systems from their network attempted to access my system, when, and how often. This would be slightly more difficult to mine for, thanks to the arbitrary hogde-podge that we call WHOIS data.
Of course one thing that none of this will clearly tell me is why this is happening to my poor little web server. I had previously proposed that it could have been related to craigslist, as one round of attempts came shortly after I posted an ad to craigslist that included a link to my web server. However I have no such ads there currently so it seems unlikely that it is connected to someone trolling craigslist for web servers (unless they retain their lists). I suppose it may also be likely that someone is trolling address ranges for ssh servers and trying to get into them any way they can. I should check my sshd syntax to see if it is possible to get ssh to log the name of the system they tried to access (not sure how possible that would be); as I could get quite a bit of information out of knowing whether they tried to access my system by its name versus its IP address.