Question about file permissions
in [Suse]
|
From: Moe Trin on 20 Apr 2010 16:06 On Tue, 20 Apr 2010, in the Usenet newsgroup alt.os.linux.suse, in article <20100420212705(a)usenet.waxborg.local>, Vahis wrote: >I got an awesome result by running this: > >zgrep "Invalid user" /var/log/messages* | awk '{print $8}' | sort | >uniq -c | sort -nr | less > >It's amazing. That depends on how your syslogd is configured. Here, failed logins go to /var/log/secure but that's just a different tradition ;-) >Especially the number of Finnish first names and even a few Finnish >family names quite a number of times were stunning. I can assure you, I don't ever see Finnish names in the logs here. Part of that may be that you are in Suomen Tasavalta and using IPs assigned there. But then again, it may be a secret function of the Black Helicopter Service. >The top 5 is quite predictable though: >444 test >398 oracle >284 nagios >214 user >200 guest [compton ~]# zgrep "Invalid user" /var/log/secure* [compton ~]# The rare invalid user seen here is nearly always 'root', but I've also see 'toor' (a 'BSD'ism) and 'administrator' though why those accounts should be accepting logins from the wild/wooly world is unknown. A week ago, there were 3047915464 IPv4 addresses assigned or allocated in 101545 blocks by the five Regional Internet Registries. I really don't expect users to be trying to connect to my systems from most of those ranges, and therefore limit access to 1530 addresses in 3 blocks. IPv6 is comparatively rare here, and I don't accept any access from that part of the Internet. At work, we similarly restrict access, though not as sharply. Old guy
From: Shmuel Metz on 21 Apr 2010 05:05
In <slrnhsq89v.lrc.ibuprofin(a)compton.phx.az.us>, on 04/19/2010 at 10:36 PM, ibuprofin(a)painkiller.example.tld.invalid (Moe Trin) said: >There _used_to_be_ a 'whois.abuse.net' that listed abuse@ addresses for >many domains. I don't know how well it works any more. There are also whois clients that can follow referrals. AFAIK, abuse.net relies on the data from whois servers. >news.admin.net-abuse.bulletins Defunct unless you can find a moderator. >news.admin.net-abuse.sightings Defunct unless you can find a moderator. >Most abuse-desk positions have been eliminated by the bean counters >as non-profitable. ObOrsonSwindle :-( -- Shmuel (Seymour J.) Metz, SysProg and JOAT <http://patriot.net/~shmuel> Unsolicited bulk E-mail subject to legal action. I reserve the right to publicly post or ridicule any abusive E-mail. Reply to domain Patriot dot net user shmuel+news to contact me. Do not reply to spamtrap(a)library.lspace.org |