audit log\\\'s

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

audit log\\\'s

degrem03
Thanks Ren?.

The problem that we have is that on the Windows Event Application list, we received many messages like that:

Logon Failure:
        Reason: Unknown user name or bad password
         User Name: NOUSER
         Domain:
         Logon Type: 2
         Logon Process: Advapi
         Authentification Package: Microsoft_authentification_package
Eventid: 529

It is for that, that we want to know more information about these events and we think taht perhaps we could use other tool in cygwin.

We use cygwin as server SSH.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: audit log\\\'s

René Berber
degrem03 wrote:

> Thanks René.

You're welcome.

> The problem that we have is that on the Windows Event Application list, we received many messages like that:
>
> Logon Failure:
>         Reason: Unknown user name or bad password
>          User Name: NOUSER
>          Domain:
>          Logon Type: 2
>          Logon Process: Advapi
>          Authentification Package: Microsoft_authentification_package
> Eventid: 529

This is probably the same situation as the example I showed: somebody is using a
"dumb" program for trying to break into an unsecured system.  They usually scan
the internet to see who has port 22 active and then send a list of user names
and passwords in a "brute force" attempt to break in.

That's the reason why in /usr/share/doc/Cygwin/inetutils-1.3.2.README there is a
recomendation to delete user guest from /etc/password or disable it using
Windows user administration; that recommendation is for ftp/telnet/rlogin, I
don't think sshd allows empty passwords.

> It is for that, that we want to know more information about these events and we think taht perhaps we could use other tool in cygwin.
>
> We use cygwin as server SSH.

I don't think there is any tool to analyze Windows events.

The only information I find usefull is the IP address of the attacker, which I
could add to a firewall rule to stop him from creating those hundreds of events
(and a possible DoS attack).  I haven't done this on Windows or for sshd, but if
you change sshd to log using syslog then you could use any log-watcher tool that
works on Unix.

Regards.
--
René Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/