Repository: YosfanEilay/AuthLogParser Branch: main Commit: 4f0647677fc5 Files: 26 Total size: 225.9 KB Directory structure: gitextract_1xx4zayr/ ├── 01-Logs/ │ └── MasterParser-Example-auth.log ├── 02-LogModules/ │ └── Auth.Log/ │ ├── 01-LogCopy/ │ │ └── CreateLogCopy.ps1 │ ├── 02-TimePatch/ │ │ └── 01-TimePatch.ps1 │ ├── 03-Features/ │ │ ├── 01-file_summary_report.ps1 │ │ ├── 02-event_name_table.ps1 │ │ ├── 03-ip_address_table.ps1 │ │ ├── 04-regex_search_engine.ps1 │ │ ├── 05-system_login_calculation.ps1 │ │ ├── 06-ssh_login_calculation.ps1 │ │ ├── 07-ssh_brute_force_detector.ps1 │ │ ├── 08-ftp_brute_force_detector.ps1 │ │ └── 09-final_output.ps1 │ └── Auth.Log.ps1 ├── 03-Options/ │ ├── 00-Banner.ps1 │ ├── 01-Update.ps1 │ ├── 02-auto_update_check.ps1 │ ├── 03-Menu.ps1 │ ├── 04-Purge.ps1 │ └── 05-functions.ps1 ├── LICENSE ├── MasterParser Training/ │ └── 02 - Exercises and Scenarios to investigate/ │ ├── 01 - FTP Brute-Force Attack/ │ │ └── Auth.Log FTP Brute-Force Attack │ ├── 02 - The Disgruntled Employee/ │ │ └── Auth.Log The Disgruntled Employee.txt │ ├── 03 - Why The Server is Unavailable/ │ │ └── Auth.Log Why The Server is Unavailable │ └── 04 - Reconnaissance Activity/ │ └── Auth.Log Reconnaissance Activity ├── MasterParser.ps1 └── README.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: 01-Logs/MasterParser-Example-auth.log ================================================ Dec 10 00:17:01 eilay-desktop CRON[75966]: pam_unix(cron:session): session opened for user root by (uid=0) # # # # Example-Description: Successful SSH Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for eilay from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for eilay from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for eilay from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Hacker from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Hacker from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Hacker from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Hacker from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Test from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Test from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Test from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Test from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for Test from 192.168.2.10 port 65107 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1074]: Accepted password for VeryLongUserName from 192.168.2.10 port 65107 ssh2 # # # # Example-Description: Successful publickey SSH Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for eilay from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for eilay from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for eilay from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for eilay from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for eilay from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for Hacker from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for Hacker from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for Hacker from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for Hacker from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for Hacker from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for VeryLongUserName from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI Dec 10 14:11:49 eilay-desktop sshd[21670]: Accepted publickey for Test from 192.168.2.14 port 61006 ssh2: RSA SHA256:Jfy3RVGpdSaSsNkUfrN589155so7C9KwDxTS12339EI # # # # Example-Description: Failed SSH logins Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for eilay from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for eilay from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for eilay from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for eilay from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for Hacker from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for Hacker from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for Hacker from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for VeryLongUserName from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for VeryLongUserName from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for VeryLongUserName from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for VeryLongUserName from 192.168.2.10 port 64853 ssh2 Dec 10 14:11:49 eilay-desktop sshd[1094]: Failed password for Test from 192.168.2.10 port 64853 ssh2 # # # # Example-Description: Adding a user to the system Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Max, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Max, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Max, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Hacker, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Hacker, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Hacker, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Test, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Test, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=Test, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=VeryLongUserName, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=VeryLongUserName, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 Dec 10 14:11:49 eilay-desktop useradd[2571]: new user: name=VeryLongUserName, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/0 # # # # Example-Description: Deleting a user from the system Dec 10 14:11:49 eilay-desktop userdel[2531]: delete user 'Max' Dec 10 14:11:49 eilay-desktop userdel[2531]: delete user 'Max' Dec 10 14:11:49 eilay-desktop userdel[2531]: delete user 'Max' Dec 10 14:11:49 eilay-desktop userdel[2531]: delete user 'Hacker' Dec 10 14:11:49 eilay-desktop userdel[2531]: delete user 'Hacker' Dec 10 14:11:49 eilay-desktop userdel[2531]: delete user 'VeryLongUserName' # # # # Example-Description: User password changes Dec 10 14:11:49 eilay-desktop passwd[2639]: pam_unix(passwd:chauthtok): password changed for Max Dec 10 14:11:49 eilay-desktop passwd[2639]: pam_unix(passwd:chauthtok): password changed for Max Dec 10 14:11:49 eilay-desktop passwd[2639]: pam_unix(passwd:chauthtok): password changed for Hacker Dec 10 14:11:49 eilay-desktop passwd[2639]: pam_unix(passwd:chauthtok): password changed for Hacker Dec 10 14:11:49 eilay-desktop passwd[2639]: pam_unix(passwd:chauthtok): password changed for Test Dec 10 14:11:49 eilay-desktop passwd[2639]: pam_unix(passwd:chauthtok): password changed for Test Dec 10 14:11:49 eilay-desktop passwd[2639]: pam_unix(passwd:chauthtok): password changed for VeryLongUserName Dec 10 14:11:49 eilay-desktop usermod[2248]: change user 'Max' password Dec 10 14:11:49 eilay-desktop usermod[2248]: change user 'Hacker' password Dec 10 14:11:49 eilay-desktop usermod[2248]: change user 'Hacker' password Dec 10 14:11:49 eilay-desktop usermod[2248]: change user 'Test' password Dec 10 14:11:49 eilay-desktop usermod[2248]: change user 'VeryLongUserName' password Dec 10 14:11:49 eilay-desktop usermod[2248]: change user 'VeryLongUserName' password Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for Max Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for Max Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for Hacker Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for Hacker Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for Test Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for Test Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for VeryLongUserName Dec 10 14:11:49 eilay-desktop chpasswd[2301]: pam_unix(chpasswd:chauthtok): password changed for VeryLongUserName # # # # Example-Description: User password Expire Dec 10 14:11:49 eilay-desktop chage[2329]: changed password expiry for Max Dec 10 14:11:49 eilay-desktop chage[2329]: changed password expiry for Hacker Dec 10 14:11:49 eilay-desktop chage[2329]: changed password expiry for Test Dec 10 14:11:49 eilay-desktop chage[2329]: changed password expiry for VeryLongUserName # # # # Example-Description: Group creation Dec 10 14:11:49 eilay-desktop groupadd[2711]: new group: name=TheHackers, GID=1002 Dec 10 14:11:49 eilay-desktop groupadd[2711]: new group: name=APT-32, GID=1002 Dec 10 14:11:49 eilay-desktop groupadd[2711]: new group: name=KARMA, GID=1002 Dec 10 14:11:49 eilay-desktop groupadd[2711]: new group: name=DeadCow, GID=1002 # # # # Example-Description: Group deletion Dec 10 14:11:49 eilay-desktop groupdel[2731]: group 'TheHackers' removed Dec 10 14:11:49 eilay-desktop groupdel[2731]: group 'APT-32' removed Dec 10 14:11:49 eilay-desktop groupdel[2731]: group 'KARMA' removed Dec 10 14:11:49 eilay-desktop groupdel[2731]: group 'DeadCow' removed # # # # Example-Description: User added to a group Dec 10 14:11:49 eilay-desktop usermod[2806]: add 'Hacker' to group 'TheHackers' Dec 10 14:11:49 eilay-desktop usermod[2806]: add 'JohnWick' to group 'APT-32' Dec 10 14:11:49 eilay-desktop usermod[2806]: add 'MikeTyson' to group 'KARMA' Dec 10 14:11:49 eilay-desktop usermod[2806]: add 'KevinMitnick' to group 'DeadCow' # # # # Example-Description: User removed from a group Dec 10 14:11:49 eilay-desktop gpasswd[2833]: user Hacker removed by root from group TheHackers Dec 10 14:11:49 eilay-desktop gpasswd[2833]: user JohnWick removed by root from group APT-32 Dec 10 14:11:49 eilay-desktop gpasswd[2833]: user MikeTyson removed by root from group KARMA Dec 10 14:11:49 eilay-desktop gpasswd[2833]: user KevinMitnick removed by root from group DeadCow # # # # Example-Description: Changing user information Dec 10 14:11:49 eilay-desktop chfn[2374]: changed user 'Hacker' information Dec 10 14:11:49 eilay-desktop chfn[2374]: changed user 'Hacker' information Dec 10 14:11:49 eilay-desktop chfn[2374]: changed user 'MikeTyson' information Dec 10 14:11:49 eilay-desktop chfn[2374]: changed user 'KevinMitnick' information Dec 10 14:11:49 eilay-desktop chfn[2374]: changed user 'JohnWick' information Dec 10 14:11:49 eilay-desktop chfn[2374]: changed user 'eilay' information # # # # Example-Description: Power Button Dec 10 14:11:49 eilay-desktop systemd-logind[633]: Watching system buttons on /dev/input/event0 (Power Button) Dec 10 14:11:49 eilay-desktop systemd-logind[633]: Watching system buttons on /dev/input/event1 (Power Button) Dec 10 14:11:49 eilay-desktop systemd-logind[633]: Watching system buttons on /dev/input/event0 (Power Button) Dec 10 14:11:49 eilay-desktop systemd-logind[633]: Watching system buttons on /dev/input/event1 (Power Button) # # # # Example-Description: Session opened for user Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by eilay(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by eilay(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by Hacker(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by Hacker(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by VeryLongUserName(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by VeryLongUserName(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by VeryLongUserName(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by MikeTyson(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by MikeTyson(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by MikeTyson(uid=0) Dec 10 14:11:49 eilay-desktop sudo: pam_unix(sudo:session): session opened for user root by MikeTyson(uid=0) # # # # Example-Description: Elevated commands executions Dec 10 14:11:49 eilay-desktop sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/su Dec 10 14:11:49 eilay-desktop sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/dev/sda Dec 10 14:11:49 eilay-desktop sudo: Hacker : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/sbin/adduser Dec 10 14:11:49 eilay-desktop sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/sbin/deluser Dec 10 14:11:49 eilay-desktop sudo: root : TTY=pts/4 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/nano /etc/vsftpd.conf Dec 10 14:11:49 eilay-desktop sudo: root : TTY=pts/1 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/nano /root/.bashrc Dec 10 14:11:49 eilay-desktop sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/timedatectl set-timezone Asia/Jerusalem Dec 10 14:11:49 eilay-desktop sudo: Hacker : TTY=pts/1 ; PWD=/home ; USER=root ; COMMAND=/usr/bin/ls /var/log/ufw* Dec 10 14:11:49 eilay-desktop sudo: Hacker : TTY=pts/1 ; PWD=/home ; USER=root ; COMMAND=/usr/bin/systemctl restart rsyslog Dec 10 14:11:49 eilay-desktop sudo: MikeTyson : TTY=pts/4 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/nano /etc/vsftpd.conf Dec 10 14:11:49 eilay-desktop sudo: MikeTyson : TTY=pts/4 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/systemctl restart vsftpd Dec 10 14:11:49 eilay-desktop sudo: VeryLongUserName : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/sbin/usermod Dec 10 14:11:49 eilay-desktop sudo: VeryLongUserName : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/su Dec 10 14:11:49 eilay-desktop sudo: VeryLongUserName : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/su # # # # Example-Description: FTP authentication failures formats Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=eilay rhost=::ffff:192.168.2.10 user=eilay Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Hacker rhost=::ffff:192.168.2.10 user=Hacker Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Hacker rhost=::ffff:192.168.2.10 user=Hacker Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Hacker rhost=::ffff:192.168.2.10 user=Hacker Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Hacker rhost=::ffff:192.168.2.10 user=Hacker Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=MikeTyson rhost=::ffff:192.168.2.10 user=MikeTyson Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=MikeTyson rhost=::ffff:192.168.2.10 user=MikeTyson Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=MikeTyson rhost=::ffff:192.168.2.10 user=MikeTyson Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=MikeTyson rhost=::ffff:192.168.2.10 user=MikeTyson Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=MikeTyson rhost=::ffff:192.168.2.10 user=MikeTyson Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=VeryLongUserName rhost=::ffff:192.168.2.10 user=VeryLongUserName Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=VeryLongUserName rhost=::ffff:192.168.2.10 user=VeryLongUserName Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=VeryLongUserName rhost=::ffff:192.168.2.10 user=VeryLongUserName Dec 10 14:11:49 eilay-desktop vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd Dec 10 14:11:49 eilay-desktop vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd Dec 10 14:11:49 eilay-desktop vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd Dec 10 14:11:49 eilay-desktop vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd Dec 10 14:11:49 eilay-desktop vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Dec 10 14:11:49 eilay-desktop vsftpd: pam_unix(vsftpd:auth): check pass; user unknown ================================================ FILE: 02-LogModules/Auth.Log/01-LogCopy/CreateLogCopy.ps1 ================================================ # get the location of where the script was executed from. $ScriptLocationPath = $RunningPath # get the location of the original auth.log file $AuthLogPath = "$RunningPath\01-Logs\$Log" # auth.log copy location $AuthLogCopyLocation = "$ScriptLocationPath\02-LogModules\Auth.Log\01-LogCopy\Auth.Log.Parser.Copy.txt" # create a copy of the Auth.Log file Copy-Item -Path $AuthLogPath -Destination $AuthLogCopyLocation # variable to get auth.log content. $AuthLogContent = Get-Content $AuthLogCopyLocation # array to store modified lines $ModifiedLines = @() # foreach loop to iterate through lines of the auth.log file. foreach ($SingleLine in $AuthLogContent) { # replace 2 spaces in each line to 1 space $ModifiedLine = $SingleLine -replace ' ',' ' # add the modified line to the array $ModifiedLines += $ModifiedLine } # save the modified lines to the new file $ModifiedLines | Out-File -FilePath $AuthLogCopyLocation -Force ================================================ FILE: 02-LogModules/Auth.Log/02-TimePatch/01-TimePatch.ps1 ================================================ # get the location of where the script was executed from. $ScriptLocationPath = $RunningPath # get the location of the original auth.log file $AuthLogPath = "$RunningPath\01-Logs\$Log" # auth.log copy location $AuthLogCopyLocation = "$ScriptLocationPath\02-LogModules\Auth.Log\01-LogCopy\Auth.Log.Parser.Copy.txt" # if $AuthLogCopyLocation is already exist, delete it if (Test-Path -Path $AuthLogCopyLocation) { Remove-Item -Path $AuthLogCopyLocation -Force -ErrorAction SilentlyContinue | Out-Null } # create a copy of the Auth.Log file Copy-Item -Path $AuthLogPath -Destination $AuthLogCopyLocation # variable to get auth.log content. $AuthLogContent = Get-Content -Head 1 -Path $AuthLogCopyLocation # Check if TimePatch is needed if ($AuthLogContent -match '^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}') { # variable to get auth.log content. $AuthLogContent = Get-Content $AuthLogCopyLocation # Loop through each line and convert date format $ModifiedLines = foreach ($line in $AuthLogContent) { # Split the line into timestamp and rest of the line $timestamp, $rest = $line -split ' ', 2 # Extract date and time components $date = $timestamp.Substring(0, 10) $time = $timestamp.Substring(11, 8) # Format date and time $formattedDate = [datetime]::ParseExact($date, 'yyyy-MM-dd', $null).ToString('MMM dd') $formattedTime = $time # Join the formatted date, time, and the rest of the line $formattedDate + ' ' + $formattedTime + ' ' + $rest } # Save the modified lines to the new file $ModifiedLines | Set-Content -Path $AuthLogCopyLocation -Force } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/01-file_summary_report.ps1 ================================================ # start time if ($Mode -eq "Developer") { $file_summary_report_start_time = start_time } # starting variables #region $auth_log_path = "$RunningPath\02-LogModules\Auth.Log\01-LogCopy\Auth.Log.Parser.Copy.txt" #endregion # hostname #region $temp_line = Get-Content -Head 1 -Path $auth_log_path $remove_start = $temp_line -replace '\b[a-zA-Z]{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\b ','' $hostname = $remove_start -replace ' .*','' #endregion # file size #region # Get the file size $fileSize = (Get-Item $auth_log_path).Length if ($fileSize -lt 1KB) { $log_size = "$fileSize bytes" } elseif ($fileSize -lt 1MB) { $fileSizeKB = [math]::Round($fileSize / 1KB, 2) $log_size = "$fileSizeKB KB" } elseif ($fileSize -lt 1GB) { $fileSizeMB = [math]::Round($fileSize / 1MB, 2) $log_size = "$fileSizeMB MB" } else { $fileSizeGB = [math]::Round($fileSize / 1GB, 2) $log_size = "$fileSizeGB GB" } #endregion # start and end time #region $temp_line = Get-Content -Head 1 -Path $auth_log_path $start_time = $temp_line -replace " $hostname.*","" $start_time = $start_time -replace ' ',' ' $temp_line = Get-Content -Tail 1 -Path $auth_log_path $end_time = $temp_line -replace " $hostname.*","" $end_time = $end_time -replace ' ',' ' # execute duration function $full_duration_file_summary_report = duration_calc -start_time $start_time -end_time $end_time #endregion # file summary report tamplate #region Write-Output "Auth.Log File Summary Report" Write-Output "+--------------------------+" if ($WasExtracted -eq "True") { Write-Output "Log Name: $Log (Extracted From: $GZipName)" } else { Write-Output "Log Name: $Log" } Write-Output "Hostname: $hostname" Write-Output "Log Size: $log_size" Write-Output "Start Time: $start_time" Write-Output "End Time: $end_time" Write-Output "Duration: $full_duration_file_summary_report" #endregion # run time if ($Mode -eq "Developer") { $file_summary_report_run_time = stop_time -start_time $file_summary_report_start_time $file_summary_report_run_time } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/02-event_name_table.ps1 ================================================ # start time if ($Mode -eq "Developer") { $event_name_table_start_time = start_time } # Hashtable to store the 5th word $5th_word_table = @{} # Regular expression pattern to match the fifth word $pattern = '\S+\s+\S+\s+\S+\s+\S+\s+(\S+)' # Get the content of the file directly using switch statement switch -Regex -File "$RunningPath\02-LogModules\Auth.Log\01-LogCopy\Auth.Log.Parser.Copy.txt" { $pattern { $5th_word = $matches[1] -replace '\[.*\]|\:','' if ($5th_word_table.ContainsKey($5th_word)) { $5th_word_table[$5th_word]++ } else { $5th_word_table[$5th_word] = 1 } } } # Transform the hashtable into an array of custom objects for easier formatting $5th_word_table_Fixed = $5th_word_table.GetEnumerator() | Sort-Object Value -Descending | ForEach-Object { [pscustomobject]@{ "Event Name" = $_.Key "Count" = $_.Value } } # Output the result Write-Output "" $5th_word_table_Fixed | Format-Table -Property "Event Name", "Count" | Out-String -Width 50 | ForEach-Object { $_.Trim() } # run time if ($Mode -eq "Developer") { $event_name_table_run_time = stop_time -start_time $event_name_table_start_time $event_name_table_run_time } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/03-ip_address_table.ps1 ================================================ # start time if ($Mode -eq "Developer") { $ip_address_table_start_time = start_time } # Hashtable to store the cleaned IP addresses $IPHashTable = @{} # Regular expression pattern to match both IPv4 and IPv6 addresses $IPPattern = '\b(?:\d{1,3}\.){3}\d{1,3}\b|\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b' # Get the content of the file directly using switch statement switch -Regex -File "$RunningPath\02-LogModules\Auth.Log\01-LogCopy\Auth.Log.Parser.Copy.txt" { $IPPattern { # Extract the IP address from the line $IPAddress = $matches[0] # Clean the IP address $CleanIP = $IPAddress -replace ".*\=|\(|.*\[|\)|\]|\:.*","" # Update the hashtable if ($IPHashTable.ContainsKey($CleanIP)) { $IPHashTable[$CleanIP]++ } else { $IPHashTable[$CleanIP] = 1 } } } # Check if there are any IP addresses in the hashtable if ($IPHashTable.Count -ge 1) { # Flag indicating IP addresses are present $IPHashTableFlag = "True" # Output the cleaned IP addresses Write-Output "" $IPHashTable.GetEnumerator() | Sort-Object Value -Descending | ForEach-Object { [pscustomobject]@{ "IP Address" = $_.Key "Count" = $_.Value } } | Format-Table -Property "IP Address", "Count" | Out-String -Width 50 | ForEach-Object { $_.Trim() } } else { # If no IP addresses are found $IPHashTableFlag = "False" } # run time if ($Mode -eq "Developer") { $ip_address_table_run_time = stop_time -start_time $ip_address_table_start_time $ip_address_table_run_time } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/04-regex_search_engine.ps1 ================================================ # start time if ($Mode -eq "Developer") { $regex_search_engine_start_time = start_time } # regex search engine #region # read the content of the log file $log_content = Get-Content -Path $AuthLogCopyLocation # main hashtable $main = @{ "successful_ssh" = @() "successful_publickey_ssh" = @() "ssh_disconnections_postauth" = @() "valid_users_failed_ssh" = @() "invalid_users_failed_ssh" = @() "ssh_maxstartups" = @() "user_login" = @() "user_logout" = @() "user_creation" = @() "user_deletion" = @() "password_change" = @() "group_creation" = @() "group_deletion" = @() "user_add_to_group" = @() "user_removed_from_group" = @() "user_information_changed" = @() "root_session_opened" = @() "root_session_closed" = @() "elevated_commands_executions" = @() "no_sudo_permission" = @() "ftp" = @() # outsource lists "system_logins_calc" = @() "ssh_logins_calc" = @() } # main patterns list $patterns = @( #ssh @( "sshd.*Accepted password for", "sshd.*Accepted publickey for", "sshd.*Failed password for(?!.*invalid)", "sshd.*Failed password for invalid user" "sshd.*Received disconnect.*port(?!.*\[preauth\])", "sshd.*MaxStartups" ), #ftp @( "vsftpd.*authentication failure" ), #users groups @( "useradd.*new user\: name\=", "userdel.*delete user", "groupadd.*new group\: name\=", "groupdel.*group.*removed", "usermod.*add.*to group", "gpasswd.*user.*removed by", "chfn.*changed user.*information" ), #user system logins @( "systemd-logind.*New session.*of user", "systemd-logind.*Removed session" ), #passwords @( "passwd.*\(passwd.*password changed for", "usermod.*change user", "chpasswd.*\(chpasswd.*password changed for" ), #elevated activity @( "su\:.*session opened for user", "su.*su:session.*session closed for user", "(sudo|su)\:.*COMMAND\=", "user NOT in sudoers.*COMMAND" ) ) # Flatten the $patterns array $flattenedPatterns = $patterns | ForEach-Object { $_ } # Dynamically construct the combined pattern $combined_pattern = [regex]::new("(" + ($flattenedPatterns -join "|") + ")") # Loop through each line and match against the combined pattern foreach ($line in $log_content) { if ($combined_pattern.IsMatch($line)) { $matchedText = $combined_pattern.Match($line).Value switch -Regex ($matchedText) { #ssh $patterns[0][0] { $main["successful_ssh"] += $line } $patterns[0][1] { $main["successful_publickey_ssh"] += $line } $patterns[0][2] { $main["valid_users_failed_ssh"] += $line } $patterns[0][3] { $main["invalid_users_failed_ssh"] += $line } $patterns[0][4] { $main["ssh_disconnections_postauth"] += $line } $patterns[0][5] { $main["ssh_maxstartups"] += $line } #ftp $patterns[1][0] { $main["ftp"] += $line } #users_groups $patterns[2][0] { $main["user_creation"] += $line } $patterns[2][1] { $main["user_deletion"] += $line } $patterns[2][2] { $main["group_creation"] += $line } $patterns[2][3] { $main["group_deletion"] += $line } $patterns[2][4] { $main["user_add_to_group"] += $line } $patterns[2][5] { $main["user_removed_from_group"] += $line } $patterns[2][6] { $main["user_information_changed"] += $line } #user_system_logins $patterns[3][0] { $main["user_login"] += $line } $patterns[3][1] { $main["user_logout"] += $line } #passwords $patterns[4][0] { $main["password_change"] += $line } $patterns[4][1] { $main["password_change"] += $line } $patterns[4][2] { $main["password_change"] += $line } #elevated_activity $patterns[5][0] { $main["root_session_opened"] += $line } $patterns[5][1] { $main["root_session_closed"] += $line } $patterns[5][2] { $main["elevated_commands_executions"] += $line } $patterns[5][3] { $main["no_sudo_permission"] += $line } } } } #endregion # run time if ($Mode -eq "Developer") { $regex_search_engine_run_time = stop_time -start_time $regex_search_engine_start_time Write-Output "" Write-Output "regex_search_engine_run_time: $regex_search_engine_run_time" } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/05-system_login_calculation.ps1 ================================================ if ($main["user_login"].Count -ge 1 -and $main["user_logout"].Count -ge 1) { # login hashtable $login_hashtable = @{} foreach ($event in $main["user_login"]) { $session_id = $event -replace '.*New session ','' -replace ' of user.*','' $login_hashtable[$session_id] += $event } # logout hashtable $logout_hashtable = @{} foreach ($event in $main["user_logout"]) { $session_id = $event -replace '.*Removed session ','' -replace '\.','' $logout_hashtable[$session_id] += $event } # lists $username_list = @() $login_session_id_list = @() $start_time_list = @() $end_time_list = @() $duration_calc_login_list = @() # code logic - is there a session number maching ? foreach ($login_session_id in $login_hashtable.Keys) { $matchFound = $false foreach ($logout_session_id in $logout_hashtable.Keys) { if ($login_session_id -eq $logout_session_id) { $matchFound = $true $login_log = $login_hashtable[$login_session_id] $logout_log = $logout_hashtable[$logout_session_id] $username = $login_log -replace '.*New session.*of user ','' -replace '\.','' $username_list += $username $login_session_id_list += $login_session_id $start_time = $login_log -replace " $hostname.*","" $start_time_list += $start_time $end_time = $logout_log -replace " $hostname.*","" $end_time_list += $end_time $duration_calc_login = duration_calc -start_time $start_time -end_time $end_time $duration_calc_login_list += $duration_calc_login } } } $usr_max_char = ($username_list | Measure-Object -Maximum -Property Length).Maximum $sid_max_char = ($login_session_id_list | Measure-Object -Maximum -Property Length).Maximum $sta_max_char = ($start_time_list | Measure-Object -Maximum -Property Length).Maximum $end_max_char = ($end_time_list | Measure-Object -Maximum -Property Length).Maximum $dur_max_char = ($duration_calc_login_list | Measure-Object -Maximum -Property Length).Maximum # code logic - is there a session number maching ? foreach ($login_session_id in $login_hashtable.Keys) { $matchFound = $false foreach ($logout_session_id in $logout_hashtable.Keys) { if ($login_session_id -eq $logout_session_id) { $matchFound = $true $login_log = $login_hashtable[$login_session_id] $logout_log = $logout_hashtable[$logout_session_id] $username = $login_log -replace '.*New session.*of user ','' -replace '\.','' $start_time = $login_log -replace " $hostname.*","" $end_time = $logout_log -replace " $hostname.*","" $duration_calc_login = duration_calc -start_time $start_time -end_time $end_time $main["system_logins_calc"] += Write-Output " Username: $($username.PadRight($usr_max_char)) | Session ID: $($login_session_id.PadRight($sid_max_char)) | Login Time: $($start_time.PadRight($sta_max_char)) | Logout Time: $($end_time.PadRight($end_max_char)) | Login Duration: $($duration_calc_login.PadRight($dur_max_char)) " } } } } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/06-ssh_login_calculation.ps1 ================================================ if ($main["successful_ssh"].Count -ge 1 -or $main["successful_publickey_ssh"].Count -ge 1 -and $main["ssh_disconnections_postauth"].Count -ge 1) { # ssh_login hashtable creation $ssh_login = @{} # successful_publickey_ssh foreach ($event in $main["successful_publickey_ssh"]) { $source_port = $event -replace '.*from.*port ','' -replace ' .*','' $ssh_login[$source_port] += $event } # successful_ssh foreach ($event in $main["successful_ssh"]) { $source_port = $event -replace '.*from.*port ','' -replace ' .*','' $ssh_login[$source_port] += $event } # disconnections_ssh_hashtbale $ssh_logout = @{} foreach ($event in $main["ssh_disconnections_postauth"]) { $source_port = $event -replace '.*from.*port ','' -replace '( .*|\:.*)','' $ssh_logout[$source_port] += $event } # lists $username_list = @() $source_port_list = @() $ip_list = @() $start_time_list = @() $end_time_list = @() $duration_calc_login_list = @() # code logic - matching login logout source ports foreach ($login_source_port in $ssh_login.Keys) { # flag $matchFound = $false foreach ($logout_source_port in $ssh_logout.Keys) { if ($login_source_port -eq $logout_source_port) { # flag $matchFound = $true # create login\logout log lines $ssh_login_log = $ssh_login[$login_source_port] $ssh_logout_log = $ssh_logout[$logout_source_port] # username $username = $ssh_login_log -replace '.*Accepted.*for ','' -replace ' from.*port.*','' $username_list += $username # source port $source_port_list += $login_source_port # ip $ip = $ssh_login_log -replace '.*for.*from ','' -replace ' port.*','' $ip_list += $ip # start time $start_time = $ssh_login_log -replace " $hostname.*","" $start_time_list += $start_time # end time $end_time = $ssh_logout_log -replace " $hostname.*","" $end_time_list += $end_time # duration $duration_calc_login = duration_calc -start_time $start_time -end_time $end_time $duration_calc_login_list += $duration_calc_login } } if (-not $matchFound) { # create login\logout log lines $ssh_login_log = $ssh_login[$login_source_port] $ssh_logout_log = $ssh_logout[$logout_source_port] # username $username = $ssh_login_log -replace '.*Accepted.*for ','' -replace ' from.*port.*','' $username_list += $username # source port $source_port_list += $login_source_port # ip $ip = $ssh_login_log -replace '.*for.*from ','' -replace ' port.*','' $ip_list += $ip # start time $start_time = $ssh_login_log -replace " $hostname.*","" $start_time_list += $start_time } } # calc char max size from lists $usr_max_char = ($username_list | Measure-Object -Maximum -Property Length).Maximum $lsp_max_char = ($source_port_list | Measure-Object -Maximum -Property Length).Maximum $lip_max_char = ($ip_list | Measure-Object -Maximum -Property Length).Maximum $sta_max_char = ($start_time_list | Measure-Object -Maximum -Property Length).Maximum $end_max_char = ($end_time_list | Measure-Object -Maximum -Property Length).Maximum $dur_max_char = ($duration_calc_login_list | Measure-Object -Maximum -Property Length).Maximum foreach ($login_source_port in $ssh_login.Keys) { # flag $matchFound = $false foreach ($logout_source_port in $ssh_logout.Keys) { if ($login_source_port -eq $logout_source_port) { # flag $matchFound = $true # create login\logout log lines $ssh_login_log = $ssh_login[$login_source_port] $ssh_logout_log = $ssh_logout[$logout_source_port] # username $username = $ssh_login_log -replace '.*Accepted.*for ','' -replace ' from.*port.*','' # source port $source_port_list += $login_source_port # ip $ip = $ssh_login_log -replace '.*for.*from ','' -replace ' port.*','' # start time $start_time = $ssh_login_log -replace " $hostname.*","" # end time $end_time = $ssh_logout_log -replace " $hostname.*","" # duration $duration_calc_login = duration_calc -start_time $start_time -end_time $end_time # output $main["ssh_logins_calc"] += Write-Output " Username: $($username.PadRight($usr_max_char)) | Port: $($login_source_port.PadRight($lsp_max_char)) | IP: $($ip.PadRight($lip_max_char)) | Login Time: $($start_time.PadRight($sta_max_char)) | Logout Time: $($end_time.PadRight($end_max_char)) | Login Duration: $($duration_calc_login.PadRight($dur_max_char)) " } } if (-not $matchFound) { # create login\logout log lines $ssh_login_log = $ssh_login[$login_source_port] $ssh_logout_log = $ssh_logout[$logout_source_port] # username $username = $ssh_login_log -replace '.*Accepted.*for ','' -replace ' from.*port.*','' $username_list += $username # source port $source_port_list += $login_source_port # ip $ip = $ssh_login_log -replace '.*for.*from ','' -replace ' port.*','' $ip_list += $ip # start time $start_time = $ssh_login_log -replace " $hostname.*","" $start_time_list += $start_time # output $main["ssh_logins_calc"] += Write-Output " Username: $($username.PadRight($usr_max_char)) | Port: $($login_source_port.PadRight($lsp_max_char)) | IP: $($ip.PadRight($lip_max_char)) | Login Time: $($start_time.PadRight($sta_max_char)) | Logout Time: $("N/A".PadRight($end_max_char)) | Login Duration: $("N/A".PadRight($dur_max_char)) " } } } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/07-ssh_brute_force_detector.ps1 ================================================ if ($main["valid_users_failed_ssh"] -ge 1 -or $main["invalid_users_failed_ssh"]) { # merge valid and invalid to 1 hashtable $valid_fails = $main["valid_users_failed_ssh"] $invalid_fails = $main["invalid_users_failed_ssh"] $merged_hashtable = $valid_fails + $invalid_fails # create IP profiles $ip_profiles = @{} $users_db = @{} foreach ($event in $merged_hashtable) { # extract the ip address $ip = $event -replace '.*for.*from (.+?)\s+.*','$1' # create a list for each IP if it doesn't exist if (-not $ip_profiles.ContainsKey($ip)) { $ip_profiles[$ip] = @{ "Events" = @() "Count" = 0 } } # add the event to the list for the IP $ip_profiles[$ip]["Events"] += $event $ip_profiles[$ip]["Count"]++ } # foreach loop to iterate the ip addresses count foreach ($ip_address in $ip_profiles.Keys) { $ip_count = $ip_profiles[$ip_address]["Count"] # iterate and add sign to users for valid and invalid users foreach ($event in $ip_profiles[$ip_address]["Events"]) { if ($event -match "for invalid user") { $user = $event -replace '.*for invalid user ','' -replace ' from.*port.*','' $user = "| x $user" } else { $user = $event -replace '.*password for ','' -replace ' from.*port.*','' $user = "| v $user" } if ($users_db.ContainsKey($user)) { $users_db[$user]++ } else { $users_db[$user] = 1 } } # Convert $users_db to custom objects with "User Name" and "Count" headers $users_output = @() foreach ($user in $users_db.Keys) { $user_object = [pscustomobject]@{ "User Name" = $user "SSH Fail Count" = $users_db[$user] } $users_output += $user_object } # Output the custom objects $users_output = $users_output | Format-Table -AutoSize | Out-String #| ForEach-Object { $_ -replace '---------- --------------', '├--------- --------------' } Write-Output "" $users_output.Trim() Write-Output "|" Write-Output "└> From: $ip_address" # Reset $users_db for the next iteration $users_db = @{} } } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/08-ftp_brute_force_detector.ps1 ================================================ if ($main["ftp"].Count -ge 1) { $ftp_hashtable = $main["ftp"] # create IP profiles $ip_profiles = @{} $users_db = @{} foreach ($event in $ftp_hashtable) { # extract the ip address $ip = $event -replace '.*rhost=::ffff:','' -replace '( user=.*|)','' # create a list for each IP if it doesn't exist if (-not $ip_profiles.ContainsKey($ip)) { $ip_profiles[$ip] = @{ "Events" = @() "Count" = 0 } } # add the event to the list for the IP $ip_profiles[$ip]["Events"] += $event $ip_profiles[$ip]["Count"]++ } # foreach loop to iterate the ip addresses count foreach ($ip_address in $ip_profiles.Keys) { $ip_count = $ip_profiles[$ip_address]["Count"] # iterate and add sign to users for valid and invalid users foreach ($event in $ip_profiles[$ip_address]["Events"]) { $user = $event -replace '.*ruser=','' -replace ' rhost=.*','' $user = "| $user" if ($users_db.ContainsKey($user)) { $users_db[$user]++ } else { $users_db[$user] = 1 } } # Convert $users_db to custom objects with "User Name" and "Count" headers $users_output = @() foreach ($user in $users_db.Keys) { $user_object = [pscustomobject]@{ "User Name" = $user "FTP Fail Count" = $users_db[$user] } $users_output += $user_object } # Output the custom objects $users_output = $users_output | Format-Table -AutoSize | Out-String #| ForEach-Object { $_ -replace '---------- --------------', '├--------- --------------' } Write-Output "" $users_output.Trim() Write-Output "|" Write-Output "└> From: $ip_address" # Reset $users_db for the next iteration $users_db = @{} } } ================================================ FILE: 02-LogModules/Auth.Log/03-Features/09-final_output.ps1 ================================================ # start time #region if ($Mode -eq "Developer") { $formatting_function_start_time = start_time } #endregion # final_output #region function final_output { param ( [string]$check_count, [string]$title_name, [string]$title_side = " - Raw Logs", [string]$key_name, [bool]$run_once = $false, [bool]$top_space = $true, [string]$add_color = "DarkGreen", [string]$add_string_0 = $null, [string]$add_string_1 = $null, [string]$add_string_2 = $null, [string]$add_string_3 = $null, [string]$add_string_4 = $null ) if ($check_count -ge 1) { if ($top_space -eq $true) { Write-Host "" } Write-Host "$add_string_0$title_name$title_side" -ForegroundColor $add_color $MaxLength = ($main[$key_name] | Measure-Object Length -Maximum).Maximum $Border = '-' * $MaxLength if ($run_once -eq $true) { Write-Host "$add_string_1+$Border+" } foreach ($Event in $main[$key_name]) { $Event = $Event.PadRight($MaxLength) if ($run_once -eq $false) { Write-Host "$add_string_2+$Border+" } Write-Host "$add_string_3|$Event|" } Write-Host "$add_string_4+$Border+" } } #endregion # SSH #region # SSH Logins Full Output Statment #region # password=1 publickey=1 if ($main["successful_ssh"].Count -ge 1 -and $main["successful_publickey_ssh"].Count -ge 1) { final_output -check_count $main["successful_ssh"].Count -title_name "Successful SSH Password Authentication" -key_name "successful_ssh" -add_string_0 "┌>" final_output -check_count $main["successful_publickey_ssh"].Count -title_name "Successful SSH Public key Authentication" -key_name "successful_publickey_ssh" -top_space $false -add_string_0 "├>" final_output -check_count $main["ssh_disconnections_postauth"].Count -title_name "SSH Disconnections [postauth]" -key_name "ssh_disconnections_postauth" -top_space $false -add_string_0 "└>" -add_string_1 " " -add_string_2 " " -add_string_3 " " -add_string_4 " " final_output -check_count $main["ssh_logins_calc"].Count -title_name "SSH Logins Calculation" -key_name "ssh_logins_calc" -title_side " - Statistics" -run_once $true -top_space $false -add_string_0 " └->" -add_string_1 " " -add_string_2 " " -add_string_3 " " -add_string_4 " " } # password=1 publickey=0 elseif ($main["successful_ssh"].Count -ge 1 -and $main["successful_publickey_ssh"].Count -eq 0) { final_output -check_count $main["successful_ssh"].Count -title_name "Successful SSH Password Authentication" -key_name "successful_ssh" final_output -check_count $main["ssh_disconnections_postauth"].Count -title_name "SSH Disconnections [postauth]" -key_name "ssh_disconnections_postauth" -top_space $false -add_string_0 "└->" -add_string_2 " " -add_string_3 " " -add_string_4 " " final_output -check_count $main["ssh_logins_calc"].Count -title_name "SSH Logins Calculation" -key_name "ssh_logins_calc" -title_side " - Statistics" -run_once $true -top_space $false -add_string_0 " └->" -add_string_1 " " -add_string_2 " " -add_string_3 " " -add_string_4 " " } # password=0 publickey=1 elseif ($main["successful_ssh"].Count -eq 0 -and $main["successful_publickey_ssh"].Count -ge 1) { final_output -check_count $main["successful_publickey_ssh"].Count -title_name "Successful SSH Public key Authentication" -key_name "successful_publickey_ssh" final_output -check_count $main["ssh_disconnections_postauth"].Count -title_name "SSH Disconnections [postauth]" -key_name "ssh_disconnections_postauth" -top_space $false -add_string_0 "└->" -add_string_2 " " -add_string_3 " " -add_string_4 " " final_output -check_count $main["ssh_logins_calc"].Count -title_name "SSH Logins Calculation" -key_name "ssh_logins_calc" -title_side " - Statistics" -run_once $true -top_space $false -add_string_0 " └->" -add_string_1 " " -add_string_2 " " -add_string_3 " " -add_string_4 " " } #endregion # SSH Failed Logins #region # valid=1 invalid=1 if ($main["valid_users_failed_ssh"].Count -ge 1 -and $main["invalid_users_failed_ssh"].Count -ge 1) { final_output -check_count $main["valid_users_failed_ssh"].Count -title_name "Valid Users Failed SSH Password Authentication" -key_name "valid_users_failed_ssh" -add_string_0 "┌>" final_output -check_count $main["invalid_users_failed_ssh"].Count -title_name "Invalid Users Failed SSH Password Authentication" -key_name "invalid_users_failed_ssh" -top_space $false -add_string_0 "├>" } # valid=1 invalid=0 elseif ($main["valid_users_failed_ssh"].Count -ge 1 -and $main["invalid_users_failed_ssh"].Count -eq 0) { final_output -check_count $main["valid_users_failed_ssh"].Count -title_name "Valid Users Failed SSH Password Authentication" -key_name "valid_users_failed_ssh" } # valid=0 invalid=1 elseif ($main["valid_users_failed_ssh"].Count -eq 0 -and $main["invalid_users_failed_ssh"].Count -ge 1) { final_output -check_count $main["invalid_users_failed_ssh"].Count -title_name "Invalid Users Failed SSH Password Authentication" -key_name "invalid_users_failed_ssh" } # Dot Sourcing -> 07-ssh_brute_force_detector.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\07-ssh_brute_force_detector.ps1" final_output -check_count $main["ssh_maxstartups"].Count -title_name "SSH MaxStartups" -key_name "ssh_maxstartups" #endregion #endregion # FTP final_output -check_count $main["ftp"].Count -title_name "FTP Authentication Failure" -key_name "ftp" # Dot Sourcing -> 08-ftp_brute_force_detector.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\08-ftp_brute_force_detector.ps1" # User System Logins final_output -check_count $main["user_login"].Count -title_name "User System Login" -key_name "user_login" final_output -check_count $main["user_logout"].Count -title_name "User System Logout" -key_name "user_logout" -top_space $false -add_string_0 "└->" -add_string_2 " " -add_string_3 " " -add_string_4 " " final_output -check_count $main["system_logins_calc"].Count -title_name "User System Logins Calculation" -key_name "system_logins_calc" -title_side " - Statistics" -run_once $true -top_space $false -add_string_0 " └->" -add_string_1 " " -add_string_2 " " -add_string_3 " " -add_string_4 " " # Users Groups Activity final_output -check_count $main["user_creation"].Count -title_name "User Creation" -key_name "user_creation" final_output -check_count $main["user_deletion"].Count -title_name "User Deletion" -key_name "user_deletion" final_output -check_count $main["group_creation"].Count -title_name "Group Creation" -key_name "group_creation" final_output -check_count $main["group_deletion"].Count -title_name "Group Deletion" -key_name "group_deletion" final_output -check_count $main["user_add_to_group"].Count -title_name "User Added To A Group" -key_name "user_add_to_group" final_output -check_count $main["user_removed_from_group"].Count -title_name "User Removed From A Group" -key_name "user_removed_from_group" final_output -check_count $main["user_information_changed"].Count -title_name "User Information Change" -key_name "user_information_changed" # Passwords final_output -check_count $main["password_change"].Count -title_name "User Password Change" -key_name "password_change" # Elevated User Activity final_output -check_count $main["root_session_opened"].Count -title_name "Elevated Session Opened For User Root" -key_name "root_session_opened" final_output -check_count $main["root_session_closed"].Count -title_name "Elevated Session Closed For User Root" -key_name "root_session_closed" final_output -check_count $main["elevated_commands_executions"].Count -title_name "Elevated Commands Executions" -key_name "elevated_commands_executions" final_output -check_count $main["no_sudo_permission"].Count -title_name "No Permission To Use sudo" -key_name "no_sudo_permission" # run time #region if ($Mode -eq "Developer") { $formatting_function_run_time = stop_time -start_time $formatting_function_start_time $formatting_function_run_time } #endregion ================================================ FILE: 02-LogModules/Auth.Log/Auth.Log.ps1 ================================================ $auth_log_start_time = start_time # NotFoundHashTable $NotFoundHashTable = @{} # Dot Sourcing -> 01-TimePatch.ps1 . "$RunningPath\02-LogModules\Auth.Log\02-TimePatch\01-TimePatch.ps1" # if statment to check if TimePatch is needed if ($CreateLogCopy_Flag -eq "True") { # Dot Sourcing -> CreateLogCopy.ps1 . "$RunningPath\02-LogModules\Auth.Log\01-LogCopy\CreateLogCopy.ps1" } # Dot Sourcing -> 01-file_summary_report.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\01-file_summary_report.ps1" # Dot Sourcing -> 02-event_name_table.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\02-event_name_table.ps1" # Dot Sourcing -> 03-ip_address_table.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\03-ip_address_table.ps1" # Dot Sourcing -> 04-regex_search_engine.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\04-regex_search_engine.ps1" # Dot Sourcing -> 05-system_login_calculation.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\05-system_login_calculation.ps1" # Dot Sourcing -> 06-ssh_login_calculation.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\06-ssh_login_calculation.ps1" # Dot Sourcing -> 09-final_output.ps1 . "$RunningPath\02-LogModules\Auth.Log\03-Features\09-final_output.ps1" Write-Output "" Write-Output "" Write-Output " - End of '$Log' Report -" Write-Output "" Write-Output "" # delete the auth.log copty after using it. Remove-Item -Path $AuthLogCopyLocation # if the log file was extracted from a GZip file, remove it. if ($WasExtracted -eq "true") { Remove-Item -Path "$RunningPath\01-Logs\$Log" } $auth_log_run_time = stop_time -start_time $auth_log_start_time ================================================ FILE: 03-Options/00-Banner.ps1 ================================================ # Dot Sorcing -> 02-AutoUpdateCheck.ps1 . "$RunningPath\03-Options\02-auto_update_check.ps1" # ParserMaster Banner Write-Output " __ ___ __" Write-Output " / |/ /___ ______/ /____ _____" Write-Output ' / /|_/ / __ `/ ___/ __/ _ \/ ___/' Write-Output " / / / / /_/ (__ ) /_/ __/ /" Write-Output "/_/ /_/\__,_/____/\__/\___/_/" Write-Output " ____" Write-Output " / __ \____ ______________ _____" Write-Output ' / /_/ / __ `/ ___/ ___/ _ \/ ___/' Write-Output " / ____/ /_/ / / (__ ) __/ /" Write-Output "/_/ \__,_/_/ /____/\___/_/" Write-Output "" Write-Output "GitHub.com/securityjoes/MasterParser" Write-Output " Author: Eilay Yosfan" Write-Output "" if ($ConnectionFlag -eq "True") { # if statment to comper versions if ($CurrentVersion -eq $Latestversion) { Write-Output " This is the latest version $CurrentVersion" Write-Output " No update is required." } else { Write-Output " Update Available!" Write-Output " You are using version $CurrentVersion" Write-Output " The latest version is $latestVersion" Write-Output " Update is required." } } else { Write-Output " Version: $CurrentVersion" } ================================================ FILE: 03-Options/01-Update.ps1 ================================================ # check if there is MasterParser.zip under the $RunningPath, if yes, delete it. if (Test-Path -Path $RunningPath\MasterParser.zip) { Remove-Item -Path $RunningPath\MasterParser.zip -Force -ErrorAction SilentlyContinue } # process title Write-Output "MasterParser Update Process" Write-Output "+--------------------------+" Start-Sleep -Milliseconds 300 Write-Output "[*] Checking connection to GitHub." # GitHub domain variable $GitHub = "GitHub.com" # test conection to GitHub domain $ConnectionStatus = Test-Connection -ComputerName $GitHub -Count 2 -ErrorAction SilentlyContinue | Select-Object -Property * # statment to check if the there is connection to GitHub or not if ($ConnectionStatus) { Start-Sleep -Milliseconds 300 Write-Output "[*] GitHub is reachable." } # execute this if connection to GitHub is NOT reachable else { Start-Sleep -Milliseconds 150 Write-Output "[!] GitHub is NOT reachable." Start-Sleep -Milliseconds 150 Write-Output "[!] Please check your internet connection." Start-Sleep -Milliseconds 150 Write-Output "[!] Update failed." exit } # write that MasterParser-main.zip is now downloading Start-Sleep -Milliseconds 300 Write-Output "[*] Downloading the latest MasterParser." # invoke a web request to download the latest MasterParser ZIP file Invoke-WebRequest https://github.com/YosfanEilay/AuthLogParser/archive/main/AuthLogParser.zip -OutFile $RunningPath\MasterParser.zip # if statment to check if download completed successfully if (Test-Path -Path "$RunningPath\MasterParser.zip"){ Start-Sleep -Milliseconds 300 Write-Output "[*] Download completed successfully." } # new file was not found after download under $RunningPath. else { Start-Sleep -Milliseconds 150 Write-Output "[!] New MasterParser was not found under $RunningPath" Start-Sleep -Milliseconds 150 Write-Output "[!] Update failed." exit } # variable to save all files\folders under $RunningPath\* $MasterParserFiles = Get-Item -Path "$RunningPath\*" | Select-Object -ExpandProperty FullName # foreach statment to iterate a removing process on all the old files\folders. foreach ($MasterParserFile in $MasterParserFiles) { Remove-Item -Path $MasterParserFile -Exclude ("MasterParser.zip") -Force -Recurse -WarningAction Continue -ErrorAction SilentlyContinue | Out-Null } # check if the remove was successful, print this if it was failed. if (Test-Path -Path "$RunningPath\MasterParser.ps1") { Start-Sleep -Milliseconds 150 Write-Output "[!] Removing old MasterParser was failed." Start-Sleep -Milliseconds 150 Write-Output "[!] Update failed." exit } # print this if the remove was successfull else { Start-Sleep -Milliseconds 150 Write-Output "[*] Old MasterParser was successfully removed." } # extract the content of the MasterParser.zip archive Expand-Archive -Path "$RunningPath\MasterParser.zip" -DestinationPath $RunningPath # check if the extraction was successfull, print this if it was successfull. if (Test-Path -Path "$RunningPath\MasterParser-main") { Start-Sleep -Milliseconds 150 Write-Output "[*] Extracting new MasterParser completed successfully." } # print this if it was failed. else { Start-Sleep -Milliseconds 150 Write-Output "[!] Failed to extract new MasterParser." Start-Sleep -Milliseconds 150 Write-Output "[!] Update failed." exit } # transfer all files\folders from AuthLogParser-main to MasterParser folder Move-Item -Path "$RunningPath\MasterParser-main\*" -Destination $RunningPath Remove-Item -Path "$RunningPath\MasterParser-main" -Force -ErrorAction SilentlyContinue # check if the extraction of all files\folders from MasterParser-main folder was successfull, print this if it was successfull. if (Test-Path -Path "$RunningPath\MasterParser.ps1") { Start-Sleep -Milliseconds 150 Write-Output "[*] New MasterParser are in place." Start-Sleep -Milliseconds 150 Write-Output "[*] Update completed successfully." Write-Output "" } else { Write-Output "[!] Some files are not in place after the update." Start-Sleep -Milliseconds 150 Write-Output "[!] Update failed." exit } # check if there is MasterParser.zip under the $RunningPath, if yes, delete it. if (Test-Path -Path $RunningPath\MasterParser.zip) { Remove-Item -Path $RunningPath\MasterParser.zip -Force -ErrorAction SilentlyContinue } ================================================ FILE: 03-Options/02-auto_update_check.ps1 ================================================ # test conection to GitHub domain try { $ConnectionStatus = Test-Connection -ComputerName "GitHub.com" -Count 1 -ErrorAction SilentlyContinue } catch { $ConnectionStatus = $false } # statment to check if the there is connection to GitHub or not if ($ConnectionStatus) { $ConnectionFlag = "True" # GitHub API URL for the repository releases $MP_URL = "https://api.github.com/repos/YosfanEilay/MasterParser/releases/latest" # Use Invoke-RestMethod to make a GET request to the GitHub API $response = Invoke-RestMethod -Uri $MP_URL -Method Get -ErrorAction Continue # Extract the version number from the response $Latestversion = $response.tag_name } # execute this if connection to GitHub is NOT reachable else { $ConnectionFlag = "False" } ================================================ FILE: 03-Options/03-Menu.ps1 ================================================ Write-Output "┌> How To Run Example: MasterParser.ps1 -O Start" Write-Output "├~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~╮" Write-Output "│ Options (-O) │" Write-Output "├~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~┤" Write-Output "│ │" Write-Output "│1. Start Run the tool by parsing all the logs under logs folder │" Write-Output "│ │" Write-Output "│2. Menu Show menu of what you can do with MasterParser tool │" Write-Output "│ │" Write-Output "│3. Update Update MasterParser to the latest version │" Write-Output "│ │" Write-Output "│4. Purge Purge MasterParser tool footprint from this host │" Write-Output "│ │" Write-Output "╰~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~╯" Write-Output "" ================================================ FILE: 03-Options/04-Purge.ps1 ================================================ # null flag $SuccessFlag = $null # main title print Write-Output "MasterParser Removal Process" Write-Output "+--------------------------+" # variable with all the files to be removed $AllFiles = Get-Item -Path "$RunningPath\*" | Select-Object -ExpandProperty Name foreach ($EachFile in $AllFiles) { # remove the file Remove-Item -Path "$RunningPath\$EachFile" -Force -Recurse -WarningAction Continue -ErrorAction SilentlyContinue | Out-Null # check if the file was removed, execute this if the file was not removed. if (Test-Path -Path "$RunningPath\$EachFile") { # print this Write-Output "[!][Not Removed] - $RunningPath\$EachFile" } # execute this if the file was removed. else { Write-Output "[*][Removed] - $RunningPath\$EachFile" } } # space Write-Output "" # second title print Write-Output "MasterParser Root Folder" Write-Output "+----------------------+" # move back 1 directory cd .. # remove the file Remove-Item -Path "MasterParser-main" -Force -Recurse -WarningAction Continue -ErrorAction SilentlyContinue | Out-Null # execute this if the remove failed if (Test-Path -Path $RunningPath) { # print this Write-Output "[!][Not Removed] - $RunningPath" } # execute this if the remove succeeded else { # print this Write-Output "[*][Removed] - $RunningPath" # flag $SuccessFlag = "True" } # space Write-Output "" # 3th title print Write-Output "Current Directory" Write-Output "+---------------+" # get the current directory $CurrentDirectory = Get-Location Write-Output "Current Directory is now - $CurrentDirectory" # space Write-Output "" if ($SuccessFlag -eq "True") { # 4th title print Write-Output "MasterParser Removal Status" Write-Output "+-------------------------+" Write-Output "[*] Purge done successfully." # space Write-Output "" } else { # 4th title print Write-Output "MasterParser Removal Status" Write-Output "+-------------------------+" Write-Output "[!] Error: Some files were not removed correctly." # space Write-Output "" } # null flag $SuccessFlag = $null ================================================ FILE: 03-Options/05-functions.ps1 ================================================ # calculate run time function #region function start_time { return Get-Date } function stop_time { param ( [datetime]$start_time ) $stop_time = Get-Date $time_taken = $stop_time - $start_time return '{0:00}:{1:00}:{2:00}' -f $time_taken.Hours, $time_taken.Minutes, $time_taken.Seconds # How to Run This Function ? # at the beginning of the script block you want to masure # put this argument #"$name_of_what_you_want_to_measure = start_time" # and at the end of this script block put this argument # "$this_is_the_run_time = stop_time -start_time $name_of_what_you_want_to_measure" } #endregion # calculate duration from start_time and end_time #region function duration_calc { param ( [string]$start_time, [string]$end_time ) $start_time = $start_time -replace ' ',' ' $end_time = $end_time -replace ' ',' ' $start_time_split = $start_time -split " " $end_time_split = $end_time -split " " if ($start_time_split[1].Length -eq 1) { $StartTimeConverted = [datetime]::ParseExact($start_time,'MMM d HH:mm:ss',$null) } elseif ($start_time_split[1].Length -eq 2) { $StartTimeConverted = [datetime]::ParseExact($start_time,'MMM dd HH:mm:ss',$null) } if ($end_time_split[1].Length -eq 1) { $EndTimeConverted = [datetime]::ParseExact($end_time,'MMM d HH:mm:ss',$null) } elseif ($end_time_split[1].Length -eq 2) { $EndTimeConverted = [datetime]::ParseExact($end_time,'MMM dd HH:mm:ss',$null) } $Duration = $EndTimeConverted - $StartTimeConverted $full_duration = Write-Output "$($Duration.Days) Days $($Duration.Hours) Hours $($Duration.Minutes) Minutes $($Duration.Seconds) Seconds" return $full_duration } #endregion ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2023 Eilay Yosfan (DFIR) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: MasterParser Training/02 - Exercises and Scenarios to investigate/01 - FTP Brute-Force Attack/Auth.Log FTP Brute-Force Attack ================================================ May 9 12:46:09 UBUSRV01 sshd[709]: Server listening on 0.0.0.0 port 22. May 9 12:46:09 UBUSRV01 sshd[709]: Server listening on :: port 22. May 9 12:46:09 UBUSRV01 systemd-logind[664]: New seat seat0. May 9 12:46:09 UBUSRV01 systemd-logind[664]: Watching system buttons on /dev/input/event0 (Power Button) May 9 12:46:09 UBUSRV01 systemd-logind[664]: Watching system buttons on /dev/input/event1 (Sleep Button) May 9 12:46:09 UBUSRV01 systemd-logind[664]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard) May 9 12:47:24 UBUSRV01 sshd[1080]: Accepted password for eilay from 192.168.2.1 port 56742 ssh2 May 9 12:47:24 UBUSRV01 sshd[1080]: pam_unix(sshd:session): session opened for user eilay(uid=1000) by (uid=0) May 9 12:47:24 UBUSRV01 systemd-logind[664]: New session 1 of user eilay. May 9 12:47:24 UBUSRV01 systemd: pam_unix(systemd-user:session): session opened for user eilay(uid=1000) by (uid=0) May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=administrator rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=master rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=administrator rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=master rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=administrator rhost=::ffff:192.168.2.14 May 9 12:49:08 UBUSRV01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=master rhost=::ffff:192.168.2.14 May 9 12:49:31 UBUSRV01 sshd[1188]: Received disconnect from 192.168.2.1 port 56742:11: disconnected by user May 9 12:49:31 UBUSRV01 sshd[1188]: Disconnected from user eilay 192.168.2.1 port 56742 May 9 12:49:31 UBUSRV01 sshd[1080]: pam_unix(sshd:session): session closed for user eilay May 9 12:49:31 UBUSRV01 systemd-logind[664]: Session 1 logged out. Waiting for processes to exit. May 9 12:49:31 UBUSRV01 systemd-logind[664]: Removed session 1. May 9 12:50:07 UBUSRV01 sshd[1231]: Accepted password for eilay from 192.168.2.1 port 56754 ssh2 May 9 12:50:07 UBUSRV01 sshd[1231]: pam_unix(sshd:session): session opened for user eilay(uid=1000) by (uid=0) May 9 12:50:07 UBUSRV01 systemd-logind[664]: New session 3 of user eilay. May 9 12:50:07 UBUSRV01 systemd: pam_unix(systemd-user:session): session opened for user eilay(uid=1000) by (uid=0) ================================================ FILE: MasterParser Training/02 - Exercises and Scenarios to investigate/02 - The Disgruntled Employee/Auth.Log The Disgruntled Employee.txt ================================================ May 8 12:08:02 UBUSRV01 sshd[703]: Server listening on 0.0.0.0 port 22. May 8 12:08:02 UBUSRV01 sshd[703]: Server listening on :: port 22. May 8 12:08:02 UBUSRV01 systemd-logind[665]: New seat seat0. May 8 12:08:02 UBUSRV01 systemd-logind[665]: Watching system buttons on /dev/input/event0 (Power Button) May 8 12:08:02 UBUSRV01 systemd-logind[665]: Watching system buttons on /dev/input/event1 (Sleep Button) May 8 12:08:02 UBUSRV01 systemd-logind[665]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard) May 8 12:08:53 UBUSRV01 sshd[1074]: Accepted password for Employee-17 from 192.168.2.1 port 52749 ssh2 May 8 12:08:53 UBUSRV01 sshd[1074]: pam_unix(sshd:session): session opened for user Employee-17(uid=1000) by (uid=0) May 8 12:08:53 UBUSRV01 systemd-logind[665]: New session 1 of user Employee-17. May 8 12:08:53 UBUSRV01 systemd: pam_unix(systemd-user:session): session opened for user Employee-17(uid=1000) by (uid=0) May 8 12:11:46 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/whoami May 8 12:11:46 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:11:46 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:12:51 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/cat /etc/passwd May 8 12:12:51 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:12:51 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:13:05 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/cat /var/log/auth.log May 8 12:13:05 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:13:05 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:14:05 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/systemctl status syslog May 8 12:14:05 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:14:05 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:14:30 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/systemctl stop syslog May 8 12:14:30 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:14:30 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:14:40 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/systemctl status syslog May 8 12:14:40 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:14:40 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:14:56 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/nano /var/log/auth.log May 8 12:14:56 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:15:01 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:15:27 UBUSRV01 sshd[1190]: Received disconnect from 192.168.2.1 port 52749:11: disconnected by user May 8 12:15:27 UBUSRV01 sshd[1190]: Disconnected from user Employee-17 192.168.2.1 port 52749 May 8 12:15:27 UBUSRV01 sshd[1074]: pam_unix(sshd:session): session closed for user Employee-17 May 8 12:15:27 UBUSRV01 systemd-logind[665]: Session 1 logged out. Waiting for processes to exit. May 8 12:15:27 UBUSRV01 systemd-logind[665]: Removed session 1. May 8 12:15:31 UBUSRV01 sshd[1297]: Accepted password for Employee-17 from 192.168.2.1 port 52809 ssh2 May 8 12:15:31 UBUSRV01 sshd[1297]: pam_unix(sshd:session): session opened for user Employee-17(uid=1000) by (uid=0) May 8 12:15:31 UBUSRV01 systemd-logind[665]: New session 3 of user Employee-17. May 8 12:15:42 UBUSRV01 sudo: pam_unix(sudo:auth): authentication failure; logname=Employee-17 uid=1000 euid=0 tty=/dev/pts/0 ruser=Employee-17 rhost= user=Employee-17 May 8 12:15:46 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/systemctl stop syslog May 8 12:15:46 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 12:15:46 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 12:15:50 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/home/Employee-17 ; USER=root ; COMMAND=/usr/bin/systemctl stop syslog.socket May 8 12:15:50 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 14:03:23 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/systemctl start syslog May 8 14:03:23 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 14:03:23 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 14:04:20 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/systemctl restart syslog May 8 14:04:20 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 14:04:20 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 14:06:32 UBUSRV01 sudo: Employee-17 : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/ps aux May 8 14:06:32 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by Employee-17(uid=1000) May 8 14:06:32 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 8 14:08:01 UBUSRV01 sshd[1190]: Received disconnect from 192.168.2.1 port 52809:11: disconnected by user May 8 14:08:01 UBUSRV01 sshd[1190]: Disconnected from user Employee-17 192.168.2.1 port 52809 May 8 14:08:01 UBUSRV01 sshd[1074]: pam_unix(sshd:session): session closed for user Employee-17 May 8 14:08:01 UBUSRV01 systemd-logind[665]: Session 3 logged out. Waiting for processes to exit. May 8 14:08:01 UBUSRV01 systemd-logind[665]: Removed session 3. ================================================ FILE: MasterParser Training/02 - Exercises and Scenarios to investigate/03 - Why The Server is Unavailable/Auth.Log Why The Server is Unavailable ================================================ May 9 11:18:48 SSHJUMPSRV05 sshd[687]: Server listening on 0.0.0.0 port 22. May 9 11:18:48 SSHJUMPSRV05 sshd[687]: Server listening on :: port 22. May 9 11:18:48 SSHJUMPSRV05 systemd-logind[664]: New seat seat0. May 9 11:18:48 SSHJUMPSRV05 systemd-logind[664]: Watching system buttons on /dev/input/event0 (Power Button) May 9 11:18:48 SSHJUMPSRV05 systemd-logind[664]: Watching system buttons on /dev/input/event1 (Sleep Button) May 9 11:18:48 SSHJUMPSRV05 systemd-logind[664]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard) May 9 11:23:56 SSHJUMPSRV05 sshd[1224]: Invalid user otlak33 from 192.168.2.14 port 38594 May 9 11:23:56 SSHJUMPSRV05 sshd[1224]: Received disconnect from 192.168.2.14 port 38594:11: Bye Bye [preauth] May 9 11:23:56 SSHJUMPSRV05 sshd[1224]: Disconnected from invalid user otlak33 192.168.2.14 port 38594 [preauth] May 9 11:23:56 SSHJUMPSRV05 sshd[687]: error: beginning MaxStartups throttling May 9 11:23:56 SSHJUMPSRV05 sshd[687]: drop connection #10 from [192.168.2.14]:38684 on [192.168.2.13]:22 past MaxStartups May 9 11:23:57 SSHJUMPSRV05 sshd[1231]: Invalid user bocko202 from 192.168.2.14 port 38640 May 9 11:23:57 SSHJUMPSRV05 sshd[1234]: Invalid user Finochio from 192.168.2.14 port 38662 May 9 11:23:57 SSHJUMPSRV05 sshd[1234]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1231]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1231]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1233]: Invalid user Finochio from 192.168.2.14 port 38656 May 9 11:23:57 SSHJUMPSRV05 sshd[1227]: Invalid user otlak33 from 192.168.2.14 port 38610 May 9 11:23:57 SSHJUMPSRV05 sshd[1229]: Invalid user otlak33 from 192.168.2.14 port 38634 May 9 11:23:57 SSHJUMPSRV05 sshd[1226]: Invalid user otlak33 from 192.168.2.14 port 38600 May 9 11:23:57 SSHJUMPSRV05 sshd[1239]: Invalid user bocko202 from 192.168.2.14 port 38722 May 9 11:23:57 SSHJUMPSRV05 sshd[1237]: Invalid user Marobod from 192.168.2.14 port 38706 May 9 11:23:57 SSHJUMPSRV05 sshd[1238]: Invalid user Marobod from 192.168.2.14 port 38716 May 9 11:23:57 SSHJUMPSRV05 sshd[1236]: Invalid user Marobod from 192.168.2.14 port 38700 May 9 11:23:57 SSHJUMPSRV05 sshd[1229]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1237]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1228]: Invalid user otlak33 from 192.168.2.14 port 38618 May 9 11:23:57 SSHJUMPSRV05 sshd[1237]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1230]: Invalid user bocko202 from 192.168.2.14 port 38636 May 9 11:23:57 SSHJUMPSRV05 sshd[1236]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1227]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1228]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1233]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1233]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1226]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1232]: Invalid user bocko202 from 192.168.2.14 port 38644 May 9 11:23:57 SSHJUMPSRV05 sshd[1239]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1239]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1235]: Invalid user Finochio from 192.168.2.14 port 38674 May 9 11:23:57 SSHJUMPSRV05 sshd[1235]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1230]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1230]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1232]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1232]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:57 SSHJUMPSRV05 sshd[1238]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:57 SSHJUMPSRV05 sshd[1238]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:59 SSHJUMPSRV05 sshd[1234]: Failed password for invalid user Finochio from 192.168.2.14 port 38662 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1231]: Failed password for invalid user bocko202 from 192.168.2.14 port 38640 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1229]: Failed password for invalid user otlak33 from 192.168.2.14 port 38634 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1237]: Failed password for invalid user Marobod from 192.168.2.14 port 38706 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1236]: Failed password for invalid user Marobod from 192.168.2.14 port 38700 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1228]: Failed password for invalid user otlak33 from 192.168.2.14 port 38618 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1227]: Failed password for invalid user otlak33 from 192.168.2.14 port 38610 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1233]: Failed password for invalid user Finochio from 192.168.2.14 port 38656 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1226]: Failed password for invalid user otlak33 from 192.168.2.14 port 38600 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1239]: Failed password for invalid user bocko202 from 192.168.2.14 port 38722 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1235]: Failed password for invalid user Finochio from 192.168.2.14 port 38674 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1232]: Failed password for invalid user bocko202 from 192.168.2.14 port 38644 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1230]: Failed password for invalid user bocko202 from 192.168.2.14 port 38636 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1238]: Failed password for invalid user Marobod from 192.168.2.14 port 38716 ssh2 May 9 11:23:59 SSHJUMPSRV05 sshd[1234]: Received disconnect from 192.168.2.14 port 38662:11: Bye Bye [preauth] May 9 11:23:59 SSHJUMPSRV05 sshd[1234]: Disconnected from invalid user Finochio 192.168.2.14 port 38662 [preauth] May 9 11:23:59 SSHJUMPSRV05 sshd[1233]: Received disconnect from 192.168.2.14 port 38656:11: Bye Bye [preauth] May 9 11:23:59 SSHJUMPSRV05 sshd[1233]: Disconnected from invalid user Finochio 192.168.2.14 port 38656 [preauth] May 9 11:23:59 SSHJUMPSRV05 sshd[1254]: Invalid user tomos from 192.168.2.14 port 38392 May 9 11:23:59 SSHJUMPSRV05 sshd[1254]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:59 SSHJUMPSRV05 sshd[1254]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:59 SSHJUMPSRV05 sshd[1235]: Received disconnect from 192.168.2.14 port 38674:11: Bye Bye [preauth] May 9 11:23:59 SSHJUMPSRV05 sshd[1235]: Disconnected from invalid user Finochio 192.168.2.14 port 38674 [preauth] May 9 11:23:59 SSHJUMPSRV05 sshd[1256]: Invalid user tomos from 192.168.2.14 port 38396 May 9 11:23:59 SSHJUMPSRV05 sshd[1256]: pam_unix(sshd:auth): check pass; user unknown May 9 11:23:59 SSHJUMPSRV05 sshd[1256]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:23:59 SSHJUMPSRV05 sshd[1258]: Invalid user tomos from 192.168.2.14 port 38398 May 9 11:24:00 SSHJUMPSRV05 sshd[1258]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:00 SSHJUMPSRV05 sshd[1258]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:00 SSHJUMPSRV05 sshd[1226]: Received disconnect from 192.168.2.14 port 38600:11: Bye Bye [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1226]: Disconnected from invalid user otlak33 192.168.2.14 port 38600 [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1227]: Received disconnect from 192.168.2.14 port 38610:11: Bye Bye [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1227]: Disconnected from invalid user otlak33 192.168.2.14 port 38610 [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1229]: Received disconnect from 192.168.2.14 port 38634:11: Bye Bye [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1229]: Disconnected from invalid user otlak33 192.168.2.14 port 38634 [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1228]: Received disconnect from 192.168.2.14 port 38618:11: Bye Bye [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1228]: Disconnected from invalid user otlak33 192.168.2.14 port 38618 [preauth] May 9 11:24:00 SSHJUMPSRV05 sshd[1260]: Invalid user total7711 from 192.168.2.14 port 38422 May 9 11:24:00 SSHJUMPSRV05 sshd[1260]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:00 SSHJUMPSRV05 sshd[1260]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:00 SSHJUMPSRV05 sshd[1262]: Invalid user total7711 from 192.168.2.14 port 38444 May 9 11:24:00 SSHJUMPSRV05 sshd[1262]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:00 SSHJUMPSRV05 sshd[1262]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:00 SSHJUMPSRV05 sshd[1261]: Invalid user total7711 from 192.168.2.14 port 38428 May 9 11:24:00 SSHJUMPSRV05 sshd[1261]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:00 SSHJUMPSRV05 sshd[1261]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:00 SSHJUMPSRV05 sshd[1266]: Invalid user total7711 from 192.168.2.14 port 38454 May 9 11:24:00 SSHJUMPSRV05 sshd[1266]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:00 SSHJUMPSRV05 sshd[1266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:01 SSHJUMPSRV05 sshd[1237]: Received disconnect from 192.168.2.14 port 38706:11: Bye Bye [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1237]: Disconnected from invalid user Marobod 192.168.2.14 port 38706 [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1231]: Received disconnect from 192.168.2.14 port 38640:11: Bye Bye [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1231]: Disconnected from invalid user bocko202 192.168.2.14 port 38640 [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1236]: Received disconnect from 192.168.2.14 port 38700:11: Bye Bye [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1236]: Disconnected from invalid user Marobod 192.168.2.14 port 38700 [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1238]: Received disconnect from 192.168.2.14 port 38716:11: Bye Bye [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1238]: Disconnected from invalid user Marobod 192.168.2.14 port 38716 [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1239]: Received disconnect from 192.168.2.14 port 38722:11: Bye Bye [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1239]: Disconnected from invalid user bocko202 192.168.2.14 port 38722 [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1269]: Invalid user jankrupa from 192.168.2.14 port 38466 May 9 11:24:01 SSHJUMPSRV05 sshd[1269]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:01 SSHJUMPSRV05 sshd[1269]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:01 SSHJUMPSRV05 sshd[1232]: Received disconnect from 192.168.2.14 port 38644:11: Bye Bye [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1232]: Disconnected from invalid user bocko202 192.168.2.14 port 38644 [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1268]: Invalid user jankrupa from 192.168.2.14 port 38462 May 9 11:24:01 SSHJUMPSRV05 sshd[1230]: Received disconnect from 192.168.2.14 port 38636:11: Bye Bye [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1230]: Disconnected from invalid user bocko202 192.168.2.14 port 38636 [preauth] May 9 11:24:01 SSHJUMPSRV05 sshd[1268]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:01 SSHJUMPSRV05 sshd[1268]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:01 SSHJUMPSRV05 sshd[1273]: Invalid user Katka333 from 192.168.2.14 port 38506 May 9 11:24:01 SSHJUMPSRV05 sshd[1272]: Invalid user jankrupa from 192.168.2.14 port 38502 May 9 11:24:01 SSHJUMPSRV05 sshd[1273]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:01 SSHJUMPSRV05 sshd[1273]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:01 SSHJUMPSRV05 sshd[1272]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:01 SSHJUMPSRV05 sshd[1272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:01 SSHJUMPSRV05 sshd[1278]: Invalid user Katka333 from 192.168.2.14 port 38516 May 9 11:24:01 SSHJUMPSRV05 sshd[1275]: Invalid user Katka333 from 192.168.2.14 port 38508 May 9 11:24:01 SSHJUMPSRV05 sshd[1278]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:01 SSHJUMPSRV05 sshd[1278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:01 SSHJUMPSRV05 sshd[1275]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:01 SSHJUMPSRV05 sshd[1275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:01 SSHJUMPSRV05 sshd[1279]: Invalid user Katka333 from 192.168.2.14 port 38520 May 9 11:24:01 SSHJUMPSRV05 sshd[1279]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:01 SSHJUMPSRV05 sshd[1279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:02 SSHJUMPSRV05 sshd[1254]: Failed password for invalid user tomos from 192.168.2.14 port 38392 ssh2 May 9 11:24:02 SSHJUMPSRV05 sshd[1256]: Failed password for invalid user tomos from 192.168.2.14 port 38396 ssh2 May 9 11:24:02 SSHJUMPSRV05 sshd[1258]: Failed password for invalid user tomos from 192.168.2.14 port 38398 ssh2 May 9 11:24:02 SSHJUMPSRV05 sshd[1260]: Failed password for invalid user total7711 from 192.168.2.14 port 38422 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1262]: Failed password for invalid user total7711 from 192.168.2.14 port 38444 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1261]: Failed password for invalid user total7711 from 192.168.2.14 port 38428 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1266]: Failed password for invalid user total7711 from 192.168.2.14 port 38454 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1260]: Received disconnect from 192.168.2.14 port 38422:11: Bye Bye [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1260]: Disconnected from invalid user total7711 192.168.2.14 port 38422 [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1262]: Received disconnect from 192.168.2.14 port 38444:11: Bye Bye [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1262]: Disconnected from invalid user total7711 192.168.2.14 port 38444 [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1269]: Failed password for invalid user jankrupa from 192.168.2.14 port 38466 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1261]: Received disconnect from 192.168.2.14 port 38428:11: Bye Bye [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1261]: Disconnected from invalid user total7711 192.168.2.14 port 38428 [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1268]: Failed password for invalid user jankrupa from 192.168.2.14 port 38462 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1284]: Invalid user Katka333 from 192.168.2.14 port 38544 May 9 11:24:03 SSHJUMPSRV05 sshd[1282]: Invalid user Katka333 from 192.168.2.14 port 38536 May 9 11:24:03 SSHJUMPSRV05 sshd[1282]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:03 SSHJUMPSRV05 sshd[1282]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:03 SSHJUMPSRV05 sshd[1284]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:03 SSHJUMPSRV05 sshd[1284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:03 SSHJUMPSRV05 sshd[1273]: Failed password for invalid user Katka333 from 192.168.2.14 port 38506 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1272]: Failed password for invalid user jankrupa from 192.168.2.14 port 38502 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1278]: Failed password for invalid user Katka333 from 192.168.2.14 port 38516 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1275]: Failed password for invalid user Katka333 from 192.168.2.14 port 38508 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1279]: Failed password for invalid user Katka333 from 192.168.2.14 port 38520 ssh2 May 9 11:24:03 SSHJUMPSRV05 sshd[1266]: Received disconnect from 192.168.2.14 port 38454:11: Bye Bye [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1266]: Disconnected from invalid user total7711 192.168.2.14 port 38454 [preauth] May 9 11:24:03 SSHJUMPSRV05 sshd[1286]: Invalid user krakonos from 192.168.2.14 port 38562 May 9 11:24:03 SSHJUMPSRV05 sshd[1286]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:03 SSHJUMPSRV05 sshd[1286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:04 SSHJUMPSRV05 sshd[1288]: Invalid user krakonos from 192.168.2.14 port 38572 May 9 11:24:04 SSHJUMPSRV05 sshd[1288]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:04 SSHJUMPSRV05 sshd[1288]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:04 SSHJUMPSRV05 sshd[1254]: Received disconnect from 192.168.2.14 port 38392:11: Bye Bye [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1254]: Disconnected from invalid user tomos 192.168.2.14 port 38392 [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1256]: Received disconnect from 192.168.2.14 port 38396:11: Bye Bye [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1256]: Disconnected from invalid user tomos 192.168.2.14 port 38396 [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1290]: Invalid user krakonos from 192.168.2.14 port 38582 May 9 11:24:04 SSHJUMPSRV05 sshd[1290]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:04 SSHJUMPSRV05 sshd[1290]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:04 SSHJUMPSRV05 sshd[1258]: Received disconnect from 192.168.2.14 port 38398:11: Bye Bye [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1258]: Disconnected from invalid user tomos 192.168.2.14 port 38398 [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1292]: Invalid user krakonos from 192.168.2.14 port 38596 May 9 11:24:04 SSHJUMPSRV05 sshd[1292]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:04 SSHJUMPSRV05 sshd[1292]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:04 SSHJUMPSRV05 sshd[1275]: Received disconnect from 192.168.2.14 port 38508:11: Bye Bye [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1275]: Disconnected from invalid user Katka333 192.168.2.14 port 38508 [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1279]: Received disconnect from 192.168.2.14 port 38520:11: Bye Bye [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1279]: Disconnected from invalid user Katka333 192.168.2.14 port 38520 [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1278]: Received disconnect from 192.168.2.14 port 38516:11: Bye Bye [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1278]: Disconnected from invalid user Katka333 192.168.2.14 port 38516 [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1273]: Received disconnect from 192.168.2.14 port 38506:11: Bye Bye [preauth] May 9 11:24:04 SSHJUMPSRV05 sshd[1273]: Disconnected from invalid user Katka333 192.168.2.14 port 38506 [preauth] May 9 11:24:05 SSHJUMPSRV05 sshd[1294]: Invalid user Kochii from 192.168.2.14 port 38626 May 9 11:24:05 SSHJUMPSRV05 sshd[1295]: Invalid user Kochii from 192.168.2.14 port 38642 May 9 11:24:05 SSHJUMPSRV05 sshd[1295]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:05 SSHJUMPSRV05 sshd[1295]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:05 SSHJUMPSRV05 sshd[1294]: pam_unix(sshd:auth): check pass; user unknown May 9 11:24:05 SSHJUMPSRV05 sshd[1294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.14 May 9 11:24:05 SSHJUMPSRV05 sshd[1269]: Connection closed by invalid user jankrupa 192.168.2.14 port 38466 [preauth] May 9 11:24:05 SSHJUMPSRV05 sshd[1268]: Connection closed by invalid user jankrupa 192.168.2.14 port 38462 [preauth] May 9 11:24:05 SSHJUMPSRV05 sshd[1272]: Connection closed by invalid user jankrupa 192.168.2.14 port 38502 [preauth] May 9 11:24:05 SSHJUMPSRV05 sshd[1288]: Failed password for invalid user krakonos from 192.168.2.14 port 38572 ssh2 May 9 11:24:06 SSHJUMPSRV05 sshd[1288]: Connection closed by invalid user krakonos 192.168.2.14 port 38572 [preauth] May 9 11:24:06 SSHJUMPSRV05 sshd[1284]: Failed password for invalid user Katka333 from 192.168.2.14 port 38544 ssh2 May 9 11:24:06 SSHJUMPSRV05 sshd[1282]: Failed password for invalid user Katka333 from 192.168.2.14 port 38536 ssh2 May 9 11:24:06 SSHJUMPSRV05 sshd[1290]: Failed password for invalid user krakonos from 192.168.2.14 port 38582 ssh2 May 9 11:24:06 SSHJUMPSRV05 sshd[1286]: Failed password for invalid user krakonos from 192.168.2.14 port 38562 ssh2 May 9 11:24:06 SSHJUMPSRV05 sshd[1292]: Failed password for invalid user krakonos from 192.168.2.14 port 38596 ssh2 May 9 11:24:06 SSHJUMPSRV05 sshd[1290]: Connection closed by invalid user krakonos 192.168.2.14 port 38582 [preauth] May 9 11:24:06 SSHJUMPSRV05 sshd[1292]: Connection closed by invalid user krakonos 192.168.2.14 port 38596 [preauth] May 9 11:24:06 SSHJUMPSRV05 sshd[1282]: Connection closed by invalid user Katka333 192.168.2.14 port 38536 [preauth] May 9 11:24:06 SSHJUMPSRV05 sshd[1284]: Connection closed by invalid user Katka333 192.168.2.14 port 38544 [preauth] May 9 11:24:06 SSHJUMPSRV05 sshd[1295]: Failed password for invalid user Kochii from 192.168.2.14 port 38642 ssh2 May 9 11:24:06 SSHJUMPSRV05 sshd[1294]: Failed password for invalid user Kochii from 192.168.2.14 port 38626 ssh2 May 9 11:24:07 SSHJUMPSRV05 sshd[1286]: Connection closed by invalid user krakonos 192.168.2.14 port 38562 [preauth] May 9 11:24:08 SSHJUMPSRV05 sshd[1295]: Connection closed by invalid user Kochii 192.168.2.14 port 38642 [preauth] May 9 11:24:08 SSHJUMPSRV05 sshd[1294]: Connection closed by invalid user Kochii 192.168.2.14 port 38626 [preauth] May 9 11:27:10 SSHJUMPSRV05 sshd[687]: exited MaxStartups throttling after 00:03:14, 18 connections dropped May 9 11:27:10 SSHJUMPSRV05 sshd[1302]: Invalid user PiQvola from 192.168.2.15 port 59742 May 9 11:27:10 SSHJUMPSRV05 sshd[1302]: Received disconnect from 192.168.2.15 port 59742:11: Bye Bye [preauth] May 9 11:27:10 SSHJUMPSRV05 sshd[1302]: Disconnected from invalid user PiQvola 192.168.2.15 port 59742 [preauth] May 9 11:27:10 SSHJUMPSRV05 sshd[687]: error: beginning MaxStartups throttling May 9 11:27:10 SSHJUMPSRV05 sshd[687]: drop connection #11 from [192.168.2.15]:59870 on [192.168.2.13]:22 past MaxStartups May 9 11:27:11 SSHJUMPSRV05 sshd[1304]: Invalid user PiQvola from 192.168.2.15 port 59756 May 9 11:27:11 SSHJUMPSRV05 sshd[1308]: Invalid user Fjody from 192.168.2.15 port 59804 May 9 11:27:11 SSHJUMPSRV05 sshd[1304]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1304]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1308]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1308]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1313]: Invalid user Fjody from 192.168.2.15 port 59848 May 9 11:27:11 SSHJUMPSRV05 sshd[1307]: Invalid user PiQvola from 192.168.2.15 port 59778 May 9 11:27:11 SSHJUMPSRV05 sshd[1309]: Invalid user PiQvola from 192.168.2.15 port 59790 May 9 11:27:11 SSHJUMPSRV05 sshd[1313]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1313]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1306]: Invalid user Fjody from 192.168.2.15 port 59762 May 9 11:27:11 SSHJUMPSRV05 sshd[1305]: Invalid user PiQvola from 192.168.2.15 port 59758 May 9 11:27:11 SSHJUMPSRV05 sshd[1312]: Invalid user Phobos from 192.168.2.15 port 59834 May 9 11:27:11 SSHJUMPSRV05 sshd[1306]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1305]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1312]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1309]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1309]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1307]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1307]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1314]: Invalid user kyyyblik from 192.168.2.15 port 59862 May 9 11:27:11 SSHJUMPSRV05 sshd[1310]: Invalid user Phobos from 192.168.2.15 port 59812 May 9 11:27:11 SSHJUMPSRV05 sshd[1314]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1318]: Invalid user Fjody from 192.168.2.15 port 59910 May 9 11:27:11 SSHJUMPSRV05 sshd[1317]: Invalid user Phobos from 192.168.2.15 port 59900 May 9 11:27:11 SSHJUMPSRV05 sshd[1316]: Invalid user kyyyblik from 192.168.2.15 port 59878 May 9 11:27:11 SSHJUMPSRV05 sshd[1311]: Invalid user Phobos from 192.168.2.15 port 59826 May 9 11:27:11 SSHJUMPSRV05 sshd[1316]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1316]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1310]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1318]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1318]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1317]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1317]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:11 SSHJUMPSRV05 sshd[1311]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:11 SSHJUMPSRV05 sshd[1311]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:12 SSHJUMPSRV05 sshd[1304]: Failed password for invalid user PiQvola from 192.168.2.15 port 59756 ssh2 May 9 11:27:12 SSHJUMPSRV05 sshd[1308]: Failed password for invalid user Fjody from 192.168.2.15 port 59804 ssh2 May 9 11:27:12 SSHJUMPSRV05 sshd[1304]: Received disconnect from 192.168.2.15 port 59756:11: Bye Bye [preauth] May 9 11:27:12 SSHJUMPSRV05 sshd[1304]: Disconnected from invalid user PiQvola 192.168.2.15 port 59756 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1313]: Failed password for invalid user Fjody from 192.168.2.15 port 59848 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1308]: Received disconnect from 192.168.2.15 port 59804:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1308]: Disconnected from invalid user Fjody 192.168.2.15 port 59804 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1306]: Failed password for invalid user Fjody from 192.168.2.15 port 59762 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1305]: Failed password for invalid user PiQvola from 192.168.2.15 port 59758 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1312]: Failed password for invalid user Phobos from 192.168.2.15 port 59834 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1309]: Failed password for invalid user PiQvola from 192.168.2.15 port 59790 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1307]: Failed password for invalid user PiQvola from 192.168.2.15 port 59778 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1332]: Invalid user olinek22 from 192.168.2.15 port 59920 May 9 11:27:13 SSHJUMPSRV05 sshd[1314]: Failed password for invalid user kyyyblik from 192.168.2.15 port 59862 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1305]: Received disconnect from 192.168.2.15 port 59758:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1305]: Disconnected from invalid user PiQvola 192.168.2.15 port 59758 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1332]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1332]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1309]: Received disconnect from 192.168.2.15 port 59790:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1309]: Disconnected from invalid user PiQvola 192.168.2.15 port 59790 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1307]: Received disconnect from 192.168.2.15 port 59778:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1307]: Disconnected from invalid user PiQvola 192.168.2.15 port 59778 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1316]: Failed password for invalid user kyyyblik from 192.168.2.15 port 59878 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1310]: Failed password for invalid user Phobos from 192.168.2.15 port 59812 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1318]: Failed password for invalid user Fjody from 192.168.2.15 port 59910 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1313]: Received disconnect from 192.168.2.15 port 59848:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1313]: Disconnected from invalid user Fjody 192.168.2.15 port 59848 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1311]: Failed password for invalid user Phobos from 192.168.2.15 port 59826 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1317]: Failed password for invalid user Phobos from 192.168.2.15 port 59900 ssh2 May 9 11:27:13 SSHJUMPSRV05 sshd[1306]: Received disconnect from 192.168.2.15 port 59762:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1306]: Disconnected from invalid user Fjody 192.168.2.15 port 59762 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1314]: Received disconnect from 192.168.2.15 port 59862:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1314]: Disconnected from invalid user kyyyblik 192.168.2.15 port 59862 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1316]: Received disconnect from 192.168.2.15 port 59878:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1316]: Disconnected from invalid user kyyyblik 192.168.2.15 port 59878 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1318]: Received disconnect from 192.168.2.15 port 59910:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1318]: Disconnected from invalid user Fjody 192.168.2.15 port 59910 [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1334]: Invalid user olinek22 from 192.168.2.15 port 59932 May 9 11:27:13 SSHJUMPSRV05 sshd[1334]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1334]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1336]: Invalid user olinek22 from 192.168.2.15 port 59946 May 9 11:27:13 SSHJUMPSRV05 sshd[1337]: Invalid user olinek22 from 192.168.2.15 port 59954 May 9 11:27:13 SSHJUMPSRV05 sshd[1337]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1336]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1336]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1338]: Invalid user _miker_ from 192.168.2.15 port 59974 May 9 11:27:13 SSHJUMPSRV05 sshd[1338]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1338]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1342]: Invalid user Krabak from 192.168.2.15 port 59998 May 9 11:27:13 SSHJUMPSRV05 sshd[1340]: Invalid user _miker_ from 192.168.2.15 port 59988 May 9 11:27:13 SSHJUMPSRV05 sshd[1342]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1340]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1340]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1342]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1345]: Invalid user Krabak from 192.168.2.15 port 60020 May 9 11:27:13 SSHJUMPSRV05 sshd[1346]: Invalid user Krabak from 192.168.2.15 port 60026 May 9 11:27:13 SSHJUMPSRV05 sshd[1345]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1346]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1346]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1343]: Invalid user Krabak from 192.168.2.15 port 60004 May 9 11:27:13 SSHJUMPSRV05 sshd[1343]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:13 SSHJUMPSRV05 sshd[1343]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:13 SSHJUMPSRV05 sshd[1312]: Received disconnect from 192.168.2.15 port 59834:11: Bye Bye [preauth] May 9 11:27:13 SSHJUMPSRV05 sshd[1312]: Disconnected from invalid user Phobos 192.168.2.15 port 59834 [preauth] May 9 11:27:14 SSHJUMPSRV05 sshd[1310]: Received disconnect from 192.168.2.15 port 59812:11: Bye Bye [preauth] May 9 11:27:14 SSHJUMPSRV05 sshd[1310]: Disconnected from invalid user Phobos 192.168.2.15 port 59812 [preauth] May 9 11:27:14 SSHJUMPSRV05 sshd[1317]: Received disconnect from 192.168.2.15 port 59900:11: Bye Bye [preauth] May 9 11:27:14 SSHJUMPSRV05 sshd[1317]: Disconnected from invalid user Phobos 192.168.2.15 port 59900 [preauth] May 9 11:27:14 SSHJUMPSRV05 sshd[1311]: Received disconnect from 192.168.2.15 port 59826:11: Bye Bye [preauth] May 9 11:27:14 SSHJUMPSRV05 sshd[1311]: Disconnected from invalid user Phobos 192.168.2.15 port 59826 [preauth] May 9 11:27:14 SSHJUMPSRV05 sshd[1352]: Invalid user Krabak from 192.168.2.15 port 60032 May 9 11:27:14 SSHJUMPSRV05 sshd[1352]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:14 SSHJUMPSRV05 sshd[1352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:14 SSHJUMPSRV05 sshd[1355]: Invalid user janco1987 from 192.168.2.15 port 60058 May 9 11:27:14 SSHJUMPSRV05 sshd[1354]: Invalid user janco1987 from 192.168.2.15 port 60046 May 9 11:27:14 SSHJUMPSRV05 sshd[1355]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:14 SSHJUMPSRV05 sshd[1355]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:14 SSHJUMPSRV05 sshd[1354]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:14 SSHJUMPSRV05 sshd[1354]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:14 SSHJUMPSRV05 sshd[1357]: Invalid user janco1987 from 192.168.2.15 port 60066 May 9 11:27:14 SSHJUMPSRV05 sshd[1357]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:14 SSHJUMPSRV05 sshd[1357]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:14 SSHJUMPSRV05 sshd[1332]: Failed password for invalid user olinek22 from 192.168.2.15 port 59920 ssh2 May 9 11:27:14 SSHJUMPSRV05 sshd[1334]: Failed password for invalid user olinek22 from 192.168.2.15 port 59932 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1337]: Failed password for invalid user olinek22 from 192.168.2.15 port 59954 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1336]: Failed password for invalid user olinek22 from 192.168.2.15 port 59946 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1338]: Failed password for invalid user _miker_ from 192.168.2.15 port 59974 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1340]: Failed password for invalid user _miker_ from 192.168.2.15 port 59988 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1342]: Failed password for invalid user Krabak from 192.168.2.15 port 59998 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1345]: Failed password for invalid user Krabak from 192.168.2.15 port 60020 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1346]: Failed password for invalid user Krabak from 192.168.2.15 port 60026 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1343]: Failed password for invalid user Krabak from 192.168.2.15 port 60004 ssh2 May 9 11:27:15 SSHJUMPSRV05 sshd[1342]: Received disconnect from 192.168.2.15 port 59998:11: Bye Bye [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1342]: Disconnected from invalid user Krabak 192.168.2.15 port 59998 [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1345]: Received disconnect from 192.168.2.15 port 60020:11: Bye Bye [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1345]: Disconnected from invalid user Krabak 192.168.2.15 port 60020 [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1346]: Received disconnect from 192.168.2.15 port 60026:11: Bye Bye [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1346]: Disconnected from invalid user Krabak 192.168.2.15 port 60026 [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1343]: Received disconnect from 192.168.2.15 port 60004:11: Bye Bye [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1343]: Disconnected from invalid user Krabak 192.168.2.15 port 60004 [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1360]: Invalid user janco1987 from 192.168.2.15 port 60076 May 9 11:27:15 SSHJUMPSRV05 sshd[1360]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:15 SSHJUMPSRV05 sshd[1360]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:15 SSHJUMPSRV05 sshd[1362]: Invalid user besters from 192.168.2.15 port 60096 May 9 11:27:15 SSHJUMPSRV05 sshd[1362]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:15 SSHJUMPSRV05 sshd[1362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:15 SSHJUMPSRV05 sshd[1364]: Invalid user besters from 192.168.2.15 port 60114 May 9 11:27:15 SSHJUMPSRV05 sshd[1364]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:15 SSHJUMPSRV05 sshd[1364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:15 SSHJUMPSRV05 sshd[1363]: Invalid user besters from 192.168.2.15 port 60100 May 9 11:27:15 SSHJUMPSRV05 sshd[1363]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:15 SSHJUMPSRV05 sshd[1363]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:15 SSHJUMPSRV05 sshd[1338]: Received disconnect from 192.168.2.15 port 59974:11: Bye Bye [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1338]: Disconnected from invalid user _miker_ 192.168.2.15 port 59974 [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1340]: Received disconnect from 192.168.2.15 port 59988:11: Bye Bye [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1340]: Disconnected from invalid user _miker_ 192.168.2.15 port 59988 [preauth] May 9 11:27:15 SSHJUMPSRV05 sshd[1368]: Invalid user besters from 192.168.2.15 port 60122 May 9 11:27:15 SSHJUMPSRV05 sshd[1368]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:15 SSHJUMPSRV05 sshd[1368]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:15 SSHJUMPSRV05 sshd[1369]: Invalid user besters from 192.168.2.15 port 60132 May 9 11:27:15 SSHJUMPSRV05 sshd[1369]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:15 SSHJUMPSRV05 sshd[1369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:16 SSHJUMPSRV05 sshd[1332]: Received disconnect from 192.168.2.15 port 59920:11: Bye Bye [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1332]: Disconnected from invalid user olinek22 192.168.2.15 port 59920 [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1334]: Received disconnect from 192.168.2.15 port 59932:11: Bye Bye [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1334]: Disconnected from invalid user olinek22 192.168.2.15 port 59932 [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1337]: Received disconnect from 192.168.2.15 port 59954:11: Bye Bye [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1337]: Disconnected from invalid user olinek22 192.168.2.15 port 59954 [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1336]: Received disconnect from 192.168.2.15 port 59946:11: Bye Bye [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1336]: Disconnected from invalid user olinek22 192.168.2.15 port 59946 [preauth] May 9 11:27:16 SSHJUMPSRV05 sshd[1373]: Invalid user travor567 from 192.168.2.15 port 60166 May 9 11:27:16 SSHJUMPSRV05 sshd[1373]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:16 SSHJUMPSRV05 sshd[1373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:16 SSHJUMPSRV05 sshd[1372]: Invalid user travor567 from 192.168.2.15 port 60154 May 9 11:27:16 SSHJUMPSRV05 sshd[1372]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:16 SSHJUMPSRV05 sshd[1372]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:16 SSHJUMPSRV05 sshd[1376]: Invalid user travor567 from 192.168.2.15 port 60170 May 9 11:27:16 SSHJUMPSRV05 sshd[1376]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:16 SSHJUMPSRV05 sshd[1376]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:16 SSHJUMPSRV05 sshd[1352]: Failed password for invalid user Krabak from 192.168.2.15 port 60032 ssh2 May 9 11:27:16 SSHJUMPSRV05 sshd[1377]: Invalid user travor567 from 192.168.2.15 port 60178 May 9 11:27:16 SSHJUMPSRV05 sshd[1377]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:16 SSHJUMPSRV05 sshd[1377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:16 SSHJUMPSRV05 sshd[1355]: Failed password for invalid user janco1987 from 192.168.2.15 port 60058 ssh2 May 9 11:27:16 SSHJUMPSRV05 sshd[1354]: Failed password for invalid user janco1987 from 192.168.2.15 port 60046 ssh2 May 9 11:27:16 SSHJUMPSRV05 sshd[1357]: Failed password for invalid user janco1987 from 192.168.2.15 port 60066 ssh2 May 9 11:27:17 SSHJUMPSRV05 sshd[1360]: Failed password for invalid user janco1987 from 192.168.2.15 port 60076 ssh2 May 9 11:27:17 SSHJUMPSRV05 sshd[1362]: Failed password for invalid user besters from 192.168.2.15 port 60096 ssh2 May 9 11:27:17 SSHJUMPSRV05 sshd[1364]: Failed password for invalid user besters from 192.168.2.15 port 60114 ssh2 May 9 11:27:17 SSHJUMPSRV05 sshd[1363]: Failed password for invalid user besters from 192.168.2.15 port 60100 ssh2 May 9 11:27:18 SSHJUMPSRV05 sshd[1352]: Received disconnect from 192.168.2.15 port 60032:11: Bye Bye [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1352]: Disconnected from invalid user Krabak 192.168.2.15 port 60032 [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1368]: Failed password for invalid user besters from 192.168.2.15 port 60122 ssh2 May 9 11:27:18 SSHJUMPSRV05 sshd[1369]: Failed password for invalid user besters from 192.168.2.15 port 60132 ssh2 May 9 11:27:18 SSHJUMPSRV05 sshd[1380]: Invalid user kyyyblik from 192.168.2.15 port 60192 May 9 11:27:18 SSHJUMPSRV05 sshd[1380]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:18 SSHJUMPSRV05 sshd[1380]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:18 SSHJUMPSRV05 sshd[1373]: Failed password for invalid user travor567 from 192.168.2.15 port 60166 ssh2 May 9 11:27:18 SSHJUMPSRV05 sshd[1372]: Failed password for invalid user travor567 from 192.168.2.15 port 60154 ssh2 May 9 11:27:18 SSHJUMPSRV05 sshd[1376]: Failed password for invalid user travor567 from 192.168.2.15 port 60170 ssh2 May 9 11:27:18 SSHJUMPSRV05 sshd[1377]: Failed password for invalid user travor567 from 192.168.2.15 port 60178 ssh2 May 9 11:27:18 SSHJUMPSRV05 sshd[1355]: Received disconnect from 192.168.2.15 port 60058:11: Bye Bye [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1355]: Disconnected from invalid user janco1987 192.168.2.15 port 60058 [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1354]: Connection closed by invalid user janco1987 192.168.2.15 port 60046 [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1357]: Connection closed by invalid user janco1987 192.168.2.15 port 60066 [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1382]: Invalid user kyyyblik from 192.168.2.15 port 60204 May 9 11:27:18 SSHJUMPSRV05 sshd[1382]: pam_unix(sshd:auth): check pass; user unknown May 9 11:27:18 SSHJUMPSRV05 sshd[1382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.15 May 9 11:27:18 SSHJUMPSRV05 sshd[1373]: Connection closed by invalid user travor567 192.168.2.15 port 60166 [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1372]: Connection closed by invalid user travor567 192.168.2.15 port 60154 [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1376]: Connection closed by invalid user travor567 192.168.2.15 port 60170 [preauth] May 9 11:27:18 SSHJUMPSRV05 sshd[1377]: Connection closed by invalid user travor567 192.168.2.15 port 60178 [preauth] May 9 11:27:19 SSHJUMPSRV05 sshd[1362]: Connection closed by invalid user besters 192.168.2.15 port 60096 [preauth] May 9 11:27:19 SSHJUMPSRV05 sshd[1364]: Connection closed by invalid user besters 192.168.2.15 port 60114 [preauth] May 9 11:27:19 SSHJUMPSRV05 sshd[1363]: Connection closed by invalid user besters 192.168.2.15 port 60100 [preauth] May 9 11:27:19 SSHJUMPSRV05 sshd[1368]: Connection closed by invalid user besters 192.168.2.15 port 60122 [preauth] May 9 11:27:19 SSHJUMPSRV05 sshd[1369]: Connection closed by invalid user besters 192.168.2.15 port 60132 [preauth] May 9 11:27:19 SSHJUMPSRV05 sshd[1360]: Connection closed by invalid user janco1987 192.168.2.15 port 60076 [preauth] May 9 11:27:19 SSHJUMPSRV05 sshd[1380]: Failed password for invalid user kyyyblik from 192.168.2.15 port 60192 ssh2 May 9 11:27:20 SSHJUMPSRV05 sshd[1380]: Connection closed by invalid user kyyyblik 192.168.2.15 port 60192 [preauth] May 9 11:27:20 SSHJUMPSRV05 sshd[1382]: Failed password for invalid user kyyyblik from 192.168.2.15 port 60204 ssh2 May 9 11:27:20 SSHJUMPSRV05 sshd[1382]: Connection closed by invalid user kyyyblik 192.168.2.15 port 60204 [preauth] May 9 11:30:36 SSHJUMPSRV05 sshd[687]: exited MaxStartups throttling after 00:03:25, 9 connections dropped May 9 11:30:36 SSHJUMPSRV05 sshd[1388]: Invalid user Vlad22 from 192.168.2.16 port 60530 May 9 11:30:36 SSHJUMPSRV05 sshd[1388]: Received disconnect from 192.168.2.16 port 60530:11: Bye Bye [preauth] May 9 11:30:36 SSHJUMPSRV05 sshd[1388]: Disconnected from invalid user Vlad22 192.168.2.16 port 60530 [preauth] May 9 11:30:37 SSHJUMPSRV05 sshd[687]: error: beginning MaxStartups throttling May 9 11:30:37 SSHJUMPSRV05 sshd[687]: drop connection #12 from [192.168.2.16]:60662 on [192.168.2.13]:22 past MaxStartups May 9 11:30:37 SSHJUMPSRV05 sshd[1393]: Invalid user juras99 from 192.168.2.16 port 60564 May 9 11:30:37 SSHJUMPSRV05 sshd[1397]: Invalid user brosis from 192.168.2.16 port 60588 May 9 11:30:37 SSHJUMPSRV05 sshd[1391]: Invalid user Vlad22 from 192.168.2.16 port 60542 May 9 11:30:37 SSHJUMPSRV05 sshd[1396]: Invalid user brosis from 192.168.2.16 port 60582 May 9 11:30:37 SSHJUMPSRV05 sshd[1395]: Invalid user juras99 from 192.168.2.16 port 60576 May 9 11:30:37 SSHJUMPSRV05 sshd[1397]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1396]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1396]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1395]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1395]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1391]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1399]: Invalid user brosis from 192.168.2.16 port 60620 May 9 11:30:37 SSHJUMPSRV05 sshd[1393]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1393]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1398]: Invalid user juras99 from 192.168.2.16 port 60604 May 9 11:30:37 SSHJUMPSRV05 sshd[1400]: Invalid user papak79 from 192.168.2.16 port 60636 May 9 11:30:37 SSHJUMPSRV05 sshd[1401]: Invalid user papak79 from 192.168.2.16 port 60646 May 9 11:30:37 SSHJUMPSRV05 sshd[1402]: Invalid user brosis from 192.168.2.16 port 60664 May 9 11:30:37 SSHJUMPSRV05 sshd[1399]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1399]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1394]: Invalid user Vlad22 from 192.168.2.16 port 60572 May 9 11:30:37 SSHJUMPSRV05 sshd[1398]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1401]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1401]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1394]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1394]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1402]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1402]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1390]: Invalid user Vlad22 from 192.168.2.16 port 60534 May 9 11:30:37 SSHJUMPSRV05 sshd[1392]: Invalid user juras99 from 192.168.2.16 port 60550 May 9 11:30:37 SSHJUMPSRV05 sshd[1400]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1392]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1392]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1390]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1390]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:37 SSHJUMPSRV05 sshd[1403]: Invalid user Vlad22 from 192.168.2.16 port 60684 May 9 11:30:37 SSHJUMPSRV05 sshd[1403]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:37 SSHJUMPSRV05 sshd[1403]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:39 SSHJUMPSRV05 sshd[1397]: Failed password for invalid user brosis from 192.168.2.16 port 60588 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1396]: Failed password for invalid user brosis from 192.168.2.16 port 60582 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1395]: Failed password for invalid user juras99 from 192.168.2.16 port 60576 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1391]: Failed password for invalid user Vlad22 from 192.168.2.16 port 60542 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1393]: Failed password for invalid user juras99 from 192.168.2.16 port 60564 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1398]: Failed password for invalid user juras99 from 192.168.2.16 port 60604 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1399]: Failed password for invalid user brosis from 192.168.2.16 port 60620 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1401]: Failed password for invalid user papak79 from 192.168.2.16 port 60646 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1394]: Failed password for invalid user Vlad22 from 192.168.2.16 port 60572 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1402]: Failed password for invalid user brosis from 192.168.2.16 port 60664 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1400]: Failed password for invalid user papak79 from 192.168.2.16 port 60636 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1392]: Failed password for invalid user juras99 from 192.168.2.16 port 60550 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1390]: Failed password for invalid user Vlad22 from 192.168.2.16 port 60534 ssh2 May 9 11:30:39 SSHJUMPSRV05 sshd[1403]: Failed password for invalid user Vlad22 from 192.168.2.16 port 60684 ssh2 May 9 11:30:40 SSHJUMPSRV05 sshd[1391]: Received disconnect from 192.168.2.16 port 60542:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1391]: Disconnected from invalid user Vlad22 192.168.2.16 port 60542 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1394]: Received disconnect from 192.168.2.16 port 60572:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1394]: Disconnected from invalid user Vlad22 192.168.2.16 port 60572 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1403]: Received disconnect from 192.168.2.16 port 60684:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1403]: Disconnected from invalid user Vlad22 192.168.2.16 port 60684 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1390]: Received disconnect from 192.168.2.16 port 60534:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1390]: Disconnected from invalid user Vlad22 192.168.2.16 port 60534 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1418]: Invalid user hankovan from 192.168.2.16 port 52648 May 9 11:30:40 SSHJUMPSRV05 sshd[1418]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1418]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1420]: Invalid user hankovan from 192.168.2.16 port 52656 May 9 11:30:40 SSHJUMPSRV05 sshd[1420]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1420]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1397]: Received disconnect from 192.168.2.16 port 60588:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1397]: Disconnected from invalid user brosis 192.168.2.16 port 60588 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1421]: Invalid user hankovan from 192.168.2.16 port 52672 May 9 11:30:40 SSHJUMPSRV05 sshd[1396]: Received disconnect from 192.168.2.16 port 60582:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1396]: Disconnected from invalid user brosis 192.168.2.16 port 60582 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1401]: Received disconnect from 192.168.2.16 port 60646:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1401]: Disconnected from invalid user papak79 192.168.2.16 port 60646 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1399]: Received disconnect from 192.168.2.16 port 60620:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1399]: Disconnected from invalid user brosis 192.168.2.16 port 60620 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1422]: Invalid user hankovan from 192.168.2.16 port 52676 May 9 11:30:40 SSHJUMPSRV05 sshd[1421]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1400]: Received disconnect from 192.168.2.16 port 60636:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1400]: Disconnected from invalid user papak79 192.168.2.16 port 60636 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1402]: Received disconnect from 192.168.2.16 port 60664:11: Bye Bye [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1402]: Disconnected from invalid user brosis 192.168.2.16 port 60664 [preauth] May 9 11:30:40 SSHJUMPSRV05 sshd[1422]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1422]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1432]: Invalid user sapeli from 192.168.2.16 port 52750 May 9 11:30:40 SSHJUMPSRV05 sshd[1432]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1432]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1426]: Invalid user luculiiik from 192.168.2.16 port 52700 May 9 11:30:40 SSHJUMPSRV05 sshd[1428]: Invalid user sapeli from 192.168.2.16 port 52732 May 9 11:30:40 SSHJUMPSRV05 sshd[1430]: Invalid user sapeli from 192.168.2.16 port 52736 May 9 11:30:40 SSHJUMPSRV05 sshd[1431]: Invalid user sapeli from 192.168.2.16 port 52738 May 9 11:30:40 SSHJUMPSRV05 sshd[1426]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1427]: Invalid user sapeli from 192.168.2.16 port 52716 May 9 11:30:40 SSHJUMPSRV05 sshd[1430]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1428]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1428]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1431]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:40 SSHJUMPSRV05 sshd[1427]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:40 SSHJUMPSRV05 sshd[1427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:41 SSHJUMPSRV05 sshd[1393]: Received disconnect from 192.168.2.16 port 60564:11: Bye Bye [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1395]: Received disconnect from 192.168.2.16 port 60576:11: Bye Bye [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1395]: Disconnected from invalid user juras99 192.168.2.16 port 60576 [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1393]: Disconnected from invalid user juras99 192.168.2.16 port 60564 [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1398]: Received disconnect from 192.168.2.16 port 60604:11: Bye Bye [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1398]: Disconnected from invalid user juras99 192.168.2.16 port 60604 [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1392]: Received disconnect from 192.168.2.16 port 60550:11: Bye Bye [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1392]: Disconnected from invalid user juras99 192.168.2.16 port 60550 [preauth] May 9 11:30:41 SSHJUMPSRV05 sshd[1440]: Invalid user sury58 from 192.168.2.16 port 52782 May 9 11:30:41 SSHJUMPSRV05 sshd[1438]: Invalid user sapeli from 192.168.2.16 port 52760 May 9 11:30:41 SSHJUMPSRV05 sshd[1438]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:41 SSHJUMPSRV05 sshd[1438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:41 SSHJUMPSRV05 sshd[1439]: Invalid user sury58 from 192.168.2.16 port 52766 May 9 11:30:41 SSHJUMPSRV05 sshd[1440]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:41 SSHJUMPSRV05 sshd[1440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:41 SSHJUMPSRV05 sshd[1439]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:41 SSHJUMPSRV05 sshd[1439]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:41 SSHJUMPSRV05 sshd[1443]: Invalid user sury58 from 192.168.2.16 port 52786 May 9 11:30:41 SSHJUMPSRV05 sshd[1443]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:41 SSHJUMPSRV05 sshd[1443]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:42 SSHJUMPSRV05 sshd[1418]: Failed password for invalid user hankovan from 192.168.2.16 port 52648 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1420]: Failed password for invalid user hankovan from 192.168.2.16 port 52656 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1421]: Failed password for invalid user hankovan from 192.168.2.16 port 52672 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1422]: Failed password for invalid user hankovan from 192.168.2.16 port 52676 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1432]: Failed password for invalid user sapeli from 192.168.2.16 port 52750 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1426]: Failed password for invalid user luculiiik from 192.168.2.16 port 52700 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1430]: Failed password for invalid user sapeli from 192.168.2.16 port 52736 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1428]: Failed password for invalid user sapeli from 192.168.2.16 port 52732 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1431]: Failed password for invalid user sapeli from 192.168.2.16 port 52738 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1427]: Failed password for invalid user sapeli from 192.168.2.16 port 52716 ssh2 May 9 11:30:42 SSHJUMPSRV05 sshd[1432]: Received disconnect from 192.168.2.16 port 52750:11: Bye Bye [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1432]: Disconnected from invalid user sapeli 192.168.2.16 port 52750 [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1430]: Received disconnect from 192.168.2.16 port 52736:11: Bye Bye [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1430]: Disconnected from invalid user sapeli 192.168.2.16 port 52736 [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1431]: Received disconnect from 192.168.2.16 port 52738:11: Bye Bye [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1431]: Disconnected from invalid user sapeli 192.168.2.16 port 52738 [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1428]: Received disconnect from 192.168.2.16 port 52732:11: Bye Bye [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1428]: Disconnected from invalid user sapeli 192.168.2.16 port 52732 [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1427]: Received disconnect from 192.168.2.16 port 52716:11: Bye Bye [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1427]: Disconnected from invalid user sapeli 192.168.2.16 port 52716 [preauth] May 9 11:30:42 SSHJUMPSRV05 sshd[1446]: Invalid user sury58 from 192.168.2.16 port 52792 May 9 11:30:42 SSHJUMPSRV05 sshd[1448]: Invalid user sury58 from 192.168.2.16 port 52806 May 9 11:30:42 SSHJUMPSRV05 sshd[1446]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:42 SSHJUMPSRV05 sshd[1446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:42 SSHJUMPSRV05 sshd[1448]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:42 SSHJUMPSRV05 sshd[1448]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:42 SSHJUMPSRV05 sshd[1450]: Invalid user zinomaster from 192.168.2.16 port 52820 May 9 11:30:42 SSHJUMPSRV05 sshd[1450]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:42 SSHJUMPSRV05 sshd[1450]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:42 SSHJUMPSRV05 sshd[1449]: Invalid user zinomaster from 192.168.2.16 port 52810 May 9 11:30:42 SSHJUMPSRV05 sshd[1451]: Invalid user zinomaster from 192.168.2.16 port 52828 May 9 11:30:42 SSHJUMPSRV05 sshd[1449]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:42 SSHJUMPSRV05 sshd[1449]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:42 SSHJUMPSRV05 sshd[1451]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:42 SSHJUMPSRV05 sshd[1451]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:43 SSHJUMPSRV05 sshd[1438]: Failed password for invalid user sapeli from 192.168.2.16 port 52760 ssh2 May 9 11:30:43 SSHJUMPSRV05 sshd[1440]: Failed password for invalid user sury58 from 192.168.2.16 port 52782 ssh2 May 9 11:30:43 SSHJUMPSRV05 sshd[1439]: Failed password for invalid user sury58 from 192.168.2.16 port 52766 ssh2 May 9 11:30:43 SSHJUMPSRV05 sshd[1443]: Failed password for invalid user sury58 from 192.168.2.16 port 52786 ssh2 May 9 11:30:43 SSHJUMPSRV05 sshd[1438]: Received disconnect from 192.168.2.16 port 52760:11: Bye Bye [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1438]: Disconnected from invalid user sapeli 192.168.2.16 port 52760 [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1456]: Invalid user zinomaster from 192.168.2.16 port 52838 May 9 11:30:43 SSHJUMPSRV05 sshd[1456]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:43 SSHJUMPSRV05 sshd[1456]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:43 SSHJUMPSRV05 sshd[1418]: Received disconnect from 192.168.2.16 port 52648:11: Bye Bye [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1418]: Disconnected from invalid user hankovan 192.168.2.16 port 52648 [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1420]: Received disconnect from 192.168.2.16 port 52656:11: Bye Bye [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1420]: Disconnected from invalid user hankovan 192.168.2.16 port 52656 [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1426]: Received disconnect from 192.168.2.16 port 52700:11: Bye Bye [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1426]: Disconnected from invalid user luculiiik 192.168.2.16 port 52700 [preauth] May 9 11:30:43 SSHJUMPSRV05 sshd[1458]: Invalid user mahonitop from 192.168.2.16 port 52844 May 9 11:30:44 SSHJUMPSRV05 sshd[1458]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:44 SSHJUMPSRV05 sshd[1458]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:44 SSHJUMPSRV05 sshd[1421]: Received disconnect from 192.168.2.16 port 52672:11: Bye Bye [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1421]: Disconnected from invalid user hankovan 192.168.2.16 port 52672 [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1422]: Received disconnect from 192.168.2.16 port 52676:11: Bye Bye [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1422]: Disconnected from invalid user hankovan 192.168.2.16 port 52676 [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1460]: Invalid user mahonitop from 192.168.2.16 port 52860 May 9 11:30:44 SSHJUMPSRV05 sshd[1460]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:44 SSHJUMPSRV05 sshd[1460]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:44 SSHJUMPSRV05 sshd[1462]: Invalid user mahonitop from 192.168.2.16 port 52864 May 9 11:30:44 SSHJUMPSRV05 sshd[1462]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:44 SSHJUMPSRV05 sshd[1462]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:44 SSHJUMPSRV05 sshd[1464]: Invalid user mahonitop from 192.168.2.16 port 52866 May 9 11:30:44 SSHJUMPSRV05 sshd[1464]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:44 SSHJUMPSRV05 sshd[1464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:44 SSHJUMPSRV05 sshd[1466]: Invalid user papak79 from 192.168.2.16 port 52890 May 9 11:30:44 SSHJUMPSRV05 sshd[1466]: pam_unix(sshd:auth): check pass; user unknown May 9 11:30:44 SSHJUMPSRV05 sshd[1466]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.16 May 9 11:30:44 SSHJUMPSRV05 sshd[1446]: Failed password for invalid user sury58 from 192.168.2.16 port 52792 ssh2 May 9 11:30:44 SSHJUMPSRV05 sshd[1449]: Failed password for invalid user zinomaster from 192.168.2.16 port 52810 ssh2 May 9 11:30:44 SSHJUMPSRV05 sshd[1451]: Failed password for invalid user zinomaster from 192.168.2.16 port 52828 ssh2 May 9 11:30:44 SSHJUMPSRV05 sshd[1450]: Failed password for invalid user zinomaster from 192.168.2.16 port 52820 ssh2 May 9 11:30:44 SSHJUMPSRV05 sshd[1448]: Failed password for invalid user sury58 from 192.168.2.16 port 52806 ssh2 May 9 11:30:44 SSHJUMPSRV05 sshd[1450]: Connection closed by invalid user zinomaster 192.168.2.16 port 52820 [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1449]: Connection closed by invalid user zinomaster 192.168.2.16 port 52810 [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1451]: Connection closed by invalid user zinomaster 192.168.2.16 port 52828 [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1440]: Connection closed by invalid user sury58 192.168.2.16 port 52782 [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1439]: Connection closed by invalid user sury58 192.168.2.16 port 52766 [preauth] May 9 11:30:44 SSHJUMPSRV05 sshd[1443]: Connection closed by invalid user sury58 192.168.2.16 port 52786 [preauth] May 9 11:30:45 SSHJUMPSRV05 sshd[1456]: Failed password for invalid user zinomaster from 192.168.2.16 port 52838 ssh2 May 9 11:30:46 SSHJUMPSRV05 sshd[1460]: Failed password for invalid user mahonitop from 192.168.2.16 port 52860 ssh2 May 9 11:30:46 SSHJUMPSRV05 sshd[1462]: Failed password for invalid user mahonitop from 192.168.2.16 port 52864 ssh2 May 9 11:30:46 SSHJUMPSRV05 sshd[1464]: Failed password for invalid user mahonitop from 192.168.2.16 port 52866 ssh2 May 9 11:30:46 SSHJUMPSRV05 sshd[1458]: Failed password for invalid user mahonitop from 192.168.2.16 port 52844 ssh2 May 9 11:30:46 SSHJUMPSRV05 sshd[1458]: Connection closed by invalid user mahonitop 192.168.2.16 port 52844 [preauth] May 9 11:30:46 SSHJUMPSRV05 sshd[1460]: Connection closed by invalid user mahonitop 192.168.2.16 port 52860 [preauth] May 9 11:30:46 SSHJUMPSRV05 sshd[1462]: Connection closed by invalid user mahonitop 192.168.2.16 port 52864 [preauth] May 9 11:30:46 SSHJUMPSRV05 sshd[1464]: Connection closed by invalid user mahonitop 192.168.2.16 port 52866 [preauth] May 9 11:30:46 SSHJUMPSRV05 sshd[1466]: Failed password for invalid user papak79 from 192.168.2.16 port 52890 ssh2 May 9 11:30:46 SSHJUMPSRV05 sshd[1446]: Connection closed by invalid user sury58 192.168.2.16 port 52792 [preauth] May 9 11:30:46 SSHJUMPSRV05 sshd[1448]: Connection closed by invalid user sury58 192.168.2.16 port 52806 [preauth] May 9 11:30:47 SSHJUMPSRV05 sshd[1456]: Connection closed by invalid user zinomaster 192.168.2.16 port 52838 [preauth] May 9 11:30:47 SSHJUMPSRV05 sshd[1466]: Connection closed by invalid user papak79 192.168.2.16 port 52890 [preauth] May 9 11:39:30 SSHJUMPSRV05 sshd[687]: exited MaxStartups throttling after 00:08:53, 8 connections dropped May 9 11:39:30 SSHJUMPSRV05 sshd[1473]: Invalid user facin from 192.168.2.17 port 59700 May 9 11:39:30 SSHJUMPSRV05 sshd[1473]: Received disconnect from 192.168.2.17 port 59700:11: Bye Bye [preauth] May 9 11:39:30 SSHJUMPSRV05 sshd[1473]: Disconnected from invalid user facin 192.168.2.17 port 59700 [preauth] May 9 11:39:30 SSHJUMPSRV05 sshd[687]: error: beginning MaxStartups throttling May 9 11:39:30 SSHJUMPSRV05 sshd[687]: drop connection #13 from [192.168.2.17]:59850 on [192.168.2.13]:22 past MaxStartups May 9 11:39:30 SSHJUMPSRV05 sshd[1475]: Invalid user facin from 192.168.2.17 port 59706 May 9 11:39:30 SSHJUMPSRV05 sshd[1475]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1486]: Invalid user Kaffu from 192.168.2.17 port 59832 May 9 11:39:30 SSHJUMPSRV05 sshd[1480]: Invalid user Kaffu from 192.168.2.17 port 59774 May 9 11:39:30 SSHJUMPSRV05 sshd[1481]: Invalid user Kaffu from 192.168.2.17 port 59790 May 9 11:39:30 SSHJUMPSRV05 sshd[1485]: Invalid user Kaffu from 192.168.2.17 port 59822 May 9 11:39:30 SSHJUMPSRV05 sshd[1480]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1479]: Invalid user Janka20 from 192.168.2.17 port 59758 May 9 11:39:30 SSHJUMPSRV05 sshd[1486]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1486]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1479]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1479]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1478]: Invalid user facin from 192.168.2.17 port 59742 May 9 11:39:30 SSHJUMPSRV05 sshd[1483]: Invalid user aX1s from 192.168.2.17 port 59810 May 9 11:39:30 SSHJUMPSRV05 sshd[1485]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1485]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1481]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1481]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1477]: Invalid user facin from 192.168.2.17 port 59728 May 9 11:39:30 SSHJUMPSRV05 sshd[1484]: Invalid user Janka20 from 192.168.2.17 port 59816 May 9 11:39:30 SSHJUMPSRV05 sshd[1476]: Invalid user facin from 192.168.2.17 port 59714 May 9 11:39:30 SSHJUMPSRV05 sshd[1489]: Invalid user Janka20 from 192.168.2.17 port 59830 May 9 11:39:30 SSHJUMPSRV05 sshd[1478]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1477]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1477]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1476]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1488]: Invalid user aX1s from 192.168.2.17 port 59860 May 9 11:39:30 SSHJUMPSRV05 sshd[1476]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:30 SSHJUMPSRV05 sshd[1482]: Invalid user aX1s from 192.168.2.17 port 59806 May 9 11:39:30 SSHJUMPSRV05 sshd[1484]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1489]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:30 SSHJUMPSRV05 sshd[1489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:31 SSHJUMPSRV05 sshd[1483]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:31 SSHJUMPSRV05 sshd[1483]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:31 SSHJUMPSRV05 sshd[1488]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:31 SSHJUMPSRV05 sshd[1488]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:31 SSHJUMPSRV05 sshd[1484]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:31 SSHJUMPSRV05 sshd[1487]: Invalid user Janka20 from 192.168.2.17 port 59844 May 9 11:39:31 SSHJUMPSRV05 sshd[1487]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:31 SSHJUMPSRV05 sshd[1487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:31 SSHJUMPSRV05 sshd[1482]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:31 SSHJUMPSRV05 sshd[1482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:32 SSHJUMPSRV05 sshd[1475]: Failed password for invalid user facin from 192.168.2.17 port 59706 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1480]: Failed password for invalid user Kaffu from 192.168.2.17 port 59774 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1486]: Failed password for invalid user Kaffu from 192.168.2.17 port 59832 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1479]: Failed password for invalid user Janka20 from 192.168.2.17 port 59758 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1485]: Failed password for invalid user Kaffu from 192.168.2.17 port 59822 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1481]: Failed password for invalid user Kaffu from 192.168.2.17 port 59790 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1477]: Failed password for invalid user facin from 192.168.2.17 port 59728 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1478]: Failed password for invalid user facin from 192.168.2.17 port 59742 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1476]: Failed password for invalid user facin from 192.168.2.17 port 59714 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1478]: Received disconnect from 192.168.2.17 port 59742:11: Bye Bye [preauth] May 9 11:39:32 SSHJUMPSRV05 sshd[1478]: Disconnected from invalid user facin 192.168.2.17 port 59742 [preauth] May 9 11:39:32 SSHJUMPSRV05 sshd[1477]: Received disconnect from 192.168.2.17 port 59728:11: Bye Bye [preauth] May 9 11:39:32 SSHJUMPSRV05 sshd[1477]: Disconnected from invalid user facin 192.168.2.17 port 59728 [preauth] May 9 11:39:32 SSHJUMPSRV05 sshd[1489]: Failed password for invalid user Janka20 from 192.168.2.17 port 59830 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1476]: Received disconnect from 192.168.2.17 port 59714:11: Bye Bye [preauth] May 9 11:39:32 SSHJUMPSRV05 sshd[1476]: Disconnected from invalid user facin 192.168.2.17 port 59714 [preauth] May 9 11:39:32 SSHJUMPSRV05 sshd[1483]: Failed password for invalid user aX1s from 192.168.2.17 port 59810 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1488]: Failed password for invalid user aX1s from 192.168.2.17 port 59860 ssh2 May 9 11:39:32 SSHJUMPSRV05 sshd[1484]: Failed password for invalid user Janka20 from 192.168.2.17 port 59816 ssh2 May 9 11:39:33 SSHJUMPSRV05 sshd[1506]: Invalid user M4verick36 from 192.168.2.17 port 59882 May 9 11:39:33 SSHJUMPSRV05 sshd[1506]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:33 SSHJUMPSRV05 sshd[1506]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:33 SSHJUMPSRV05 sshd[1505]: Invalid user M4verick36 from 192.168.2.17 port 59866 May 9 11:39:33 SSHJUMPSRV05 sshd[1505]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:33 SSHJUMPSRV05 sshd[1505]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:33 SSHJUMPSRV05 sshd[1480]: Received disconnect from 192.168.2.17 port 59774:11: Bye Bye [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1480]: Disconnected from invalid user Kaffu 192.168.2.17 port 59774 [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1481]: Received disconnect from 192.168.2.17 port 59790:11: Bye Bye [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1481]: Disconnected from invalid user Kaffu 192.168.2.17 port 59790 [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1487]: Failed password for invalid user Janka20 from 192.168.2.17 port 59844 ssh2 May 9 11:39:33 SSHJUMPSRV05 sshd[1486]: Received disconnect from 192.168.2.17 port 59832:11: Bye Bye [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1482]: Failed password for invalid user aX1s from 192.168.2.17 port 59806 ssh2 May 9 11:39:33 SSHJUMPSRV05 sshd[1486]: Disconnected from invalid user Kaffu 192.168.2.17 port 59832 [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1485]: Received disconnect from 192.168.2.17 port 59822:11: Bye Bye [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1485]: Disconnected from invalid user Kaffu 192.168.2.17 port 59822 [preauth] May 9 11:39:33 SSHJUMPSRV05 sshd[1509]: Invalid user M4verick36 from 192.168.2.17 port 59896 May 9 11:39:33 SSHJUMPSRV05 sshd[1509]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:33 SSHJUMPSRV05 sshd[1509]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:33 SSHJUMPSRV05 sshd[1510]: Invalid user hanysekcv from 192.168.2.17 port 59908 May 9 11:39:33 SSHJUMPSRV05 sshd[1510]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:33 SSHJUMPSRV05 sshd[1510]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:33 SSHJUMPSRV05 sshd[1512]: Invalid user hanysekcv from 192.168.2.17 port 59940 May 9 11:39:33 SSHJUMPSRV05 sshd[1512]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:33 SSHJUMPSRV05 sshd[1512]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:33 SSHJUMPSRV05 sshd[1515]: Invalid user hanysekcv from 192.168.2.17 port 59952 May 9 11:39:33 SSHJUMPSRV05 sshd[1516]: Invalid user hanysekcv from 192.168.2.17 port 59960 May 9 11:39:33 SSHJUMPSRV05 sshd[1515]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:33 SSHJUMPSRV05 sshd[1515]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:33 SSHJUMPSRV05 sshd[1516]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:33 SSHJUMPSRV05 sshd[1516]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1479]: Received disconnect from 192.168.2.17 port 59758:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1479]: Disconnected from invalid user Janka20 192.168.2.17 port 59758 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1484]: Received disconnect from 192.168.2.17 port 59816:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1484]: Disconnected from invalid user Janka20 192.168.2.17 port 59816 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1489]: Received disconnect from 192.168.2.17 port 59830:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1489]: Disconnected from invalid user Janka20 192.168.2.17 port 59830 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1487]: Received disconnect from 192.168.2.17 port 59844:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1487]: Disconnected from invalid user Janka20 192.168.2.17 port 59844 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1519]: Invalid user hanysekcv from 192.168.2.17 port 59970 May 9 11:39:34 SSHJUMPSRV05 sshd[1488]: Received disconnect from 192.168.2.17 port 59860:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1521]: Invalid user 5jony1 from 192.168.2.17 port 59998 May 9 11:39:34 SSHJUMPSRV05 sshd[1488]: Disconnected from invalid user aX1s 192.168.2.17 port 59860 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1519]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1483]: Received disconnect from 192.168.2.17 port 59810:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1483]: Disconnected from invalid user aX1s 192.168.2.17 port 59810 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1521]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1521]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1482]: Received disconnect from 192.168.2.17 port 59806:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1482]: Disconnected from invalid user aX1s 192.168.2.17 port 59806 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1523]: Invalid user 5jony1 from 192.168.2.17 port 60008 May 9 11:39:34 SSHJUMPSRV05 sshd[1523]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1523]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1525]: Invalid user 5jony1 from 192.168.2.17 port 60040 May 9 11:39:34 SSHJUMPSRV05 sshd[1526]: Invalid user dumada from 192.168.2.17 port 60062 May 9 11:39:34 SSHJUMPSRV05 sshd[1527]: Invalid user dumada from 192.168.2.17 port 60074 May 9 11:39:34 SSHJUMPSRV05 sshd[1526]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1526]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1525]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1527]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1527]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1475]: Received disconnect from 192.168.2.17 port 59706:11: Bye Bye [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1475]: Disconnected from invalid user facin 192.168.2.17 port 59706 [preauth] May 9 11:39:34 SSHJUMPSRV05 sshd[1531]: Invalid user dumada from 192.168.2.17 port 60080 May 9 11:39:34 SSHJUMPSRV05 sshd[1531]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:34 SSHJUMPSRV05 sshd[1532]: Invalid user dumada from 192.168.2.17 port 60088 May 9 11:39:34 SSHJUMPSRV05 sshd[1532]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:34 SSHJUMPSRV05 sshd[1532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:35 SSHJUMPSRV05 sshd[1506]: Failed password for invalid user M4verick36 from 192.168.2.17 port 59882 ssh2 May 9 11:39:35 SSHJUMPSRV05 sshd[1506]: Received disconnect from 192.168.2.17 port 59882:11: Bye Bye [preauth] May 9 11:39:35 SSHJUMPSRV05 sshd[1505]: Failed password for invalid user M4verick36 from 192.168.2.17 port 59866 ssh2 May 9 11:39:35 SSHJUMPSRV05 sshd[1506]: Disconnected from invalid user M4verick36 192.168.2.17 port 59882 [preauth] May 9 11:39:35 SSHJUMPSRV05 sshd[1505]: Received disconnect from 192.168.2.17 port 59866:11: Bye Bye [preauth] May 9 11:39:35 SSHJUMPSRV05 sshd[1505]: Disconnected from invalid user M4verick36 192.168.2.17 port 59866 [preauth] May 9 11:39:35 SSHJUMPSRV05 sshd[1535]: Invalid user dumada from 192.168.2.17 port 60104 May 9 11:39:35 SSHJUMPSRV05 sshd[1535]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:35 SSHJUMPSRV05 sshd[1535]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:35 SSHJUMPSRV05 sshd[1509]: Failed password for invalid user M4verick36 from 192.168.2.17 port 59896 ssh2 May 9 11:39:35 SSHJUMPSRV05 sshd[1510]: Failed password for invalid user hanysekcv from 192.168.2.17 port 59908 ssh2 May 9 11:39:35 SSHJUMPSRV05 sshd[1509]: Received disconnect from 192.168.2.17 port 59896:11: Bye Bye [preauth] May 9 11:39:35 SSHJUMPSRV05 sshd[1509]: Disconnected from invalid user M4verick36 192.168.2.17 port 59896 [preauth] May 9 11:39:35 SSHJUMPSRV05 sshd[1512]: Failed password for invalid user hanysekcv from 192.168.2.17 port 59940 ssh2 May 9 11:39:35 SSHJUMPSRV05 sshd[1538]: Invalid user fufino37 from 192.168.2.17 port 60120 May 9 11:39:35 SSHJUMPSRV05 sshd[1538]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:35 SSHJUMPSRV05 sshd[1538]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:35 SSHJUMPSRV05 sshd[1515]: Failed password for invalid user hanysekcv from 192.168.2.17 port 59952 ssh2 May 9 11:39:35 SSHJUMPSRV05 sshd[1516]: Failed password for invalid user hanysekcv from 192.168.2.17 port 59960 ssh2 May 9 11:39:36 SSHJUMPSRV05 sshd[1540]: Invalid user fufino37 from 192.168.2.17 port 60150 May 9 11:39:36 SSHJUMPSRV05 sshd[1540]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:36 SSHJUMPSRV05 sshd[1540]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:36 SSHJUMPSRV05 sshd[1510]: Received disconnect from 192.168.2.17 port 59908:11: Bye Bye [preauth] May 9 11:39:36 SSHJUMPSRV05 sshd[1510]: Disconnected from invalid user hanysekcv 192.168.2.17 port 59908 [preauth] May 9 11:39:36 SSHJUMPSRV05 sshd[1512]: Received disconnect from 192.168.2.17 port 59940:11: Bye Bye [preauth] May 9 11:39:36 SSHJUMPSRV05 sshd[1512]: Disconnected from invalid user hanysekcv 192.168.2.17 port 59940 [preauth] May 9 11:39:36 SSHJUMPSRV05 sshd[1542]: Invalid user fufino37 from 192.168.2.17 port 60160 May 9 11:39:36 SSHJUMPSRV05 sshd[1542]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:36 SSHJUMPSRV05 sshd[1542]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:36 SSHJUMPSRV05 sshd[1544]: Invalid user fufino37 from 192.168.2.17 port 60164 May 9 11:39:36 SSHJUMPSRV05 sshd[1544]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:36 SSHJUMPSRV05 sshd[1544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:36 SSHJUMPSRV05 sshd[1519]: Failed password for invalid user hanysekcv from 192.168.2.17 port 59970 ssh2 May 9 11:39:36 SSHJUMPSRV05 sshd[1515]: Received disconnect from 192.168.2.17 port 59952:11: Bye Bye [preauth] May 9 11:39:36 SSHJUMPSRV05 sshd[1515]: Disconnected from invalid user hanysekcv 192.168.2.17 port 59952 [preauth] May 9 11:39:36 SSHJUMPSRV05 sshd[1521]: Failed password for invalid user 5jony1 from 192.168.2.17 port 59998 ssh2 May 9 11:39:36 SSHJUMPSRV05 sshd[1516]: Received disconnect from 192.168.2.17 port 59960:11: Bye Bye [preauth] May 9 11:39:36 SSHJUMPSRV05 sshd[1516]: Disconnected from invalid user hanysekcv 192.168.2.17 port 59960 [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1523]: Failed password for invalid user 5jony1 from 192.168.2.17 port 60008 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1546]: Invalid user sulcm12 from 192.168.2.17 port 60172 May 9 11:39:37 SSHJUMPSRV05 sshd[1547]: Invalid user sulcm12 from 192.168.2.17 port 60176 May 9 11:39:37 SSHJUMPSRV05 sshd[1547]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:37 SSHJUMPSRV05 sshd[1547]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:37 SSHJUMPSRV05 sshd[1546]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:37 SSHJUMPSRV05 sshd[1546]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:37 SSHJUMPSRV05 sshd[1526]: Failed password for invalid user dumada from 192.168.2.17 port 60062 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1525]: Failed password for invalid user 5jony1 from 192.168.2.17 port 60040 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1527]: Failed password for invalid user dumada from 192.168.2.17 port 60074 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1531]: Failed password for invalid user dumada from 192.168.2.17 port 60080 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1532]: Failed password for invalid user dumada from 192.168.2.17 port 60088 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1527]: Received disconnect from 192.168.2.17 port 60074:11: Bye Bye [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1527]: Disconnected from invalid user dumada 192.168.2.17 port 60074 [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1526]: Received disconnect from 192.168.2.17 port 60062:11: Bye Bye [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1526]: Disconnected from invalid user dumada 192.168.2.17 port 60062 [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1531]: Received disconnect from 192.168.2.17 port 60080:11: Bye Bye [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1531]: Disconnected from invalid user dumada 192.168.2.17 port 60080 [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1550]: Invalid user sulcm12 from 192.168.2.17 port 60192 May 9 11:39:37 SSHJUMPSRV05 sshd[1532]: Received disconnect from 192.168.2.17 port 60088:11: Bye Bye [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1532]: Disconnected from invalid user dumada 192.168.2.17 port 60088 [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1550]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:37 SSHJUMPSRV05 sshd[1550]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:37 SSHJUMPSRV05 sshd[1535]: Failed password for invalid user dumada from 192.168.2.17 port 60104 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1552]: Invalid user ivan250188 from 192.168.2.17 port 60194 May 9 11:39:37 SSHJUMPSRV05 sshd[1552]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:37 SSHJUMPSRV05 sshd[1552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:37 SSHJUMPSRV05 sshd[1553]: Invalid user ivan250188 from 192.168.2.17 port 60198 May 9 11:39:37 SSHJUMPSRV05 sshd[1553]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:37 SSHJUMPSRV05 sshd[1553]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:37 SSHJUMPSRV05 sshd[1555]: Invalid user ivan250188 from 192.168.2.17 port 60206 May 9 11:39:37 SSHJUMPSRV05 sshd[1555]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:37 SSHJUMPSRV05 sshd[1555]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:37 SSHJUMPSRV05 sshd[1538]: Failed password for invalid user fufino37 from 192.168.2.17 port 60120 ssh2 May 9 11:39:37 SSHJUMPSRV05 sshd[1519]: Received disconnect from 192.168.2.17 port 59970:11: Bye Bye [preauth] May 9 11:39:37 SSHJUMPSRV05 sshd[1519]: Disconnected from invalid user hanysekcv 192.168.2.17 port 59970 [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1521]: Received disconnect from 192.168.2.17 port 59998:11: Bye Bye [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1521]: Disconnected from invalid user 5jony1 192.168.2.17 port 59998 [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1523]: Received disconnect from 192.168.2.17 port 60008:11: Bye Bye [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1523]: Disconnected from invalid user 5jony1 192.168.2.17 port 60008 [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1535]: Connection closed by invalid user dumada 192.168.2.17 port 60104 [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1525]: Connection closed by invalid user 5jony1 192.168.2.17 port 60040 [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1559]: Invalid user ivan250188 from 192.168.2.17 port 60232 May 9 11:39:38 SSHJUMPSRV05 sshd[1559]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:38 SSHJUMPSRV05 sshd[1558]: Invalid user ivan250188 from 192.168.2.17 port 60224 May 9 11:39:38 SSHJUMPSRV05 sshd[1559]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:38 SSHJUMPSRV05 sshd[1558]: pam_unix(sshd:auth): check pass; user unknown May 9 11:39:38 SSHJUMPSRV05 sshd[1558]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.17 May 9 11:39:38 SSHJUMPSRV05 sshd[1540]: Failed password for invalid user fufino37 from 192.168.2.17 port 60150 ssh2 May 9 11:39:38 SSHJUMPSRV05 sshd[1538]: Connection closed by invalid user fufino37 192.168.2.17 port 60120 [preauth] May 9 11:39:38 SSHJUMPSRV05 sshd[1546]: Failed password for invalid user sulcm12 from 192.168.2.17 port 60172 ssh2 May 9 11:39:38 SSHJUMPSRV05 sshd[1547]: Failed password for invalid user sulcm12 from 192.168.2.17 port 60176 ssh2 May 9 11:39:39 SSHJUMPSRV05 sshd[1542]: Failed password for invalid user fufino37 from 192.168.2.17 port 60160 ssh2 May 9 11:39:39 SSHJUMPSRV05 sshd[1544]: Failed password for invalid user fufino37 from 192.168.2.17 port 60164 ssh2 May 9 11:39:39 SSHJUMPSRV05 sshd[1540]: Connection closed by invalid user fufino37 192.168.2.17 port 60150 [preauth] May 9 11:39:39 SSHJUMPSRV05 sshd[1550]: Failed password for invalid user sulcm12 from 192.168.2.17 port 60192 ssh2 May 9 11:39:39 SSHJUMPSRV05 sshd[1552]: Failed password for invalid user ivan250188 from 192.168.2.17 port 60194 ssh2 May 9 11:39:39 SSHJUMPSRV05 sshd[1553]: Failed password for invalid user ivan250188 from 192.168.2.17 port 60198 ssh2 May 9 11:39:39 SSHJUMPSRV05 sshd[1555]: Failed password for invalid user ivan250188 from 192.168.2.17 port 60206 ssh2 May 9 11:39:39 SSHJUMPSRV05 sshd[1542]: Connection closed by invalid user fufino37 192.168.2.17 port 60160 [preauth] May 9 11:39:39 SSHJUMPSRV05 sshd[1544]: Connection closed by invalid user fufino37 192.168.2.17 port 60164 [preauth] May 9 11:39:39 SSHJUMPSRV05 sshd[1559]: Failed password for invalid user ivan250188 from 192.168.2.17 port 60232 ssh2 May 9 11:39:40 SSHJUMPSRV05 sshd[1558]: Failed password for invalid user ivan250188 from 192.168.2.17 port 60224 ssh2 May 9 11:39:40 SSHJUMPSRV05 sshd[1559]: Connection closed by invalid user ivan250188 192.168.2.17 port 60232 [preauth] May 9 11:39:40 SSHJUMPSRV05 sshd[1558]: Connection closed by invalid user ivan250188 192.168.2.17 port 60224 [preauth] May 9 11:39:40 SSHJUMPSRV05 sshd[1546]: Connection closed by invalid user sulcm12 192.168.2.17 port 60172 [preauth] May 9 11:39:40 SSHJUMPSRV05 sshd[1547]: Connection closed by invalid user sulcm12 192.168.2.17 port 60176 [preauth] May 9 11:39:40 SSHJUMPSRV05 sshd[1550]: Connection closed by invalid user sulcm12 192.168.2.17 port 60192 [preauth] May 9 11:39:41 SSHJUMPSRV05 sshd[1552]: Connection closed by invalid user ivan250188 192.168.2.17 port 60194 [preauth] May 9 11:39:41 SSHJUMPSRV05 sshd[1553]: Connection closed by invalid user ivan250188 192.168.2.17 port 60198 [preauth] May 9 11:39:41 SSHJUMPSRV05 sshd[1555]: Connection closed by invalid user ivan250188 192.168.2.17 port 60206 [preauth] May 9 11:41:58 SSHJUMPSRV05 sshd[687]: exited MaxStartups throttling after 00:02:28, 16 connections dropped May 9 11:41:59 SSHJUMPSRV05 sshd[1563]: Received disconnect from 192.168.2.18 port 45586:11: Bye Bye [preauth] May 9 11:41:59 SSHJUMPSRV05 sshd[1563]: Disconnected from authenticating user Kevin 192.168.2.18 port 45586 [preauth] May 9 11:41:59 SSHJUMPSRV05 sshd[687]: error: beginning MaxStartups throttling May 9 11:41:59 SSHJUMPSRV05 sshd[687]: drop connection #10 from [192.168.2.18]:47306 on [192.168.2.13]:22 past MaxStartups May 9 11:41:59 SSHJUMPSRV05 sshd[1565]: Accepted password for Kevin from 192.168.2.18 port 47214 ssh2 May 9 11:41:59 SSHJUMPSRV05 sshd[1565]: pam_unix(sshd:session): session opened for user Kevin(uid=1000) by (uid=0) May 9 11:41:59 SSHJUMPSRV05 systemd-logind[664]: New session 3 of user Kevin. May 9 11:41:59 SSHJUMPSRV05 sshd[1566]: Invalid user Alien35 from 192.168.2.18 port 47216 May 9 11:41:59 SSHJUMPSRV05 sshd[1568]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:41:59 SSHJUMPSRV05 sshd[1573]: Invalid user onko23 from 192.168.2.18 port 47264 May 9 11:41:59 SSHJUMPSRV05 sshd[1566]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1566]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1577]: Invalid user kool from 192.168.2.18 port 47332 May 9 11:41:59 SSHJUMPSRV05 sshd[1578]: Invalid user Alien35 from 192.168.2.18 port 47344 May 9 11:41:59 SSHJUMPSRV05 sshd[1573]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1573]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1574]: Invalid user onko23 from 192.168.2.18 port 47278 May 9 11:41:59 SSHJUMPSRV05 sshd[1570]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:41:59 SSHJUMPSRV05 sshd[1578]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1572]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:41:59 SSHJUMPSRV05 sshd[1576]: Invalid user onko23 from 192.168.2.18 port 47324 May 9 11:41:59 SSHJUMPSRV05 sshd[1577]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1577]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1576]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1574]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1574]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1575]: Invalid user onko23 from 192.168.2.18 port 47290 May 9 11:41:59 SSHJUMPSRV05 sshd[1571]: Invalid user Alien35 from 192.168.2.18 port 47248 May 9 11:41:59 SSHJUMPSRV05 sshd[1575]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1575]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1571]: pam_unix(sshd:auth): check pass; user unknown May 9 11:41:59 SSHJUMPSRV05 sshd[1571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:41:59 SSHJUMPSRV05 sshd[1567]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:41:59 SSHJUMPSRV05 sshd[1591]: Invalid user kool from 192.168.2.18 port 47364 May 9 11:42:00 SSHJUMPSRV05 sshd[1591]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:00 SSHJUMPSRV05 sshd[1591]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:00 SSHJUMPSRV05 sshd[1650]: Received disconnect from 192.168.2.18 port 47214:11: Bye Bye May 9 11:42:00 SSHJUMPSRV05 sshd[1650]: Disconnected from user Kevin 192.168.2.18 port 47214 May 9 11:42:00 SSHJUMPSRV05 sshd[1565]: pam_unix(sshd:session): session closed for user Kevin May 9 11:42:00 SSHJUMPSRV05 systemd-logind[664]: Session 3 logged out. Waiting for processes to exit. May 9 11:42:00 SSHJUMPSRV05 systemd-logind[664]: Removed session 3. May 9 11:42:01 SSHJUMPSRV05 sshd[1566]: Failed password for invalid user Alien35 from 192.168.2.18 port 47216 ssh2 May 9 11:42:01 SSHJUMPSRV05 sshd[1568]: Failed password for Kevin from 192.168.2.18 port 47234 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1573]: Failed password for invalid user onko23 from 192.168.2.18 port 47264 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1578]: Failed password for invalid user Alien35 from 192.168.2.18 port 47344 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1572]: Failed password for Kevin from 192.168.2.18 port 47252 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1577]: Failed password for invalid user kool from 192.168.2.18 port 47332 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1576]: Failed password for invalid user onko23 from 192.168.2.18 port 47324 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1570]: Failed password for Kevin from 192.168.2.18 port 47242 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1574]: Failed password for invalid user onko23 from 192.168.2.18 port 47278 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1575]: Failed password for invalid user onko23 from 192.168.2.18 port 47290 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1571]: Failed password for invalid user Alien35 from 192.168.2.18 port 47248 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1567]: Failed password for Kevin from 192.168.2.18 port 47230 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1566]: Received disconnect from 192.168.2.18 port 47216:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1566]: Disconnected from invalid user Alien35 192.168.2.18 port 47216 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1578]: Received disconnect from 192.168.2.18 port 47344:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1578]: Disconnected from invalid user Alien35 192.168.2.18 port 47344 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1652]: Invalid user kool from 192.168.2.18 port 47368 May 9 11:42:02 SSHJUMPSRV05 sshd[1652]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:02 SSHJUMPSRV05 sshd[1652]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:02 SSHJUMPSRV05 sshd[1571]: Received disconnect from 192.168.2.18 port 47248:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1571]: Disconnected from invalid user Alien35 192.168.2.18 port 47248 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1654]: Invalid user jozonm from 192.168.2.18 port 47392 May 9 11:42:02 SSHJUMPSRV05 sshd[1654]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:02 SSHJUMPSRV05 sshd[1654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:02 SSHJUMPSRV05 sshd[1573]: Received disconnect from 192.168.2.18 port 47264:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1573]: Disconnected from invalid user onko23 192.168.2.18 port 47264 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1591]: Failed password for invalid user kool from 192.168.2.18 port 47364 ssh2 May 9 11:42:02 SSHJUMPSRV05 sshd[1577]: Received disconnect from 192.168.2.18 port 47332:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1577]: Disconnected from invalid user kool 192.168.2.18 port 47332 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1574]: Received disconnect from 192.168.2.18 port 47278:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1574]: Disconnected from invalid user onko23 192.168.2.18 port 47278 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1576]: Received disconnect from 192.168.2.18 port 47324:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1576]: Disconnected from invalid user onko23 192.168.2.18 port 47324 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1656]: Invalid user jozonm from 192.168.2.18 port 47404 May 9 11:42:02 SSHJUMPSRV05 sshd[1656]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:02 SSHJUMPSRV05 sshd[1656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:02 SSHJUMPSRV05 sshd[1575]: Received disconnect from 192.168.2.18 port 47290:11: Bye Bye [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1575]: Disconnected from invalid user onko23 192.168.2.18 port 47290 [preauth] May 9 11:42:02 SSHJUMPSRV05 sshd[1658]: Invalid user jozonm from 192.168.2.18 port 47414 May 9 11:42:02 SSHJUMPSRV05 sshd[1659]: Invalid user jozonm from 192.168.2.18 port 47418 May 9 11:42:02 SSHJUMPSRV05 sshd[1658]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:02 SSHJUMPSRV05 sshd[1658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:02 SSHJUMPSRV05 sshd[1659]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:02 SSHJUMPSRV05 sshd[1659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:02 SSHJUMPSRV05 sshd[1660]: Invalid user jozonm from 192.168.2.18 port 47434 May 9 11:42:03 SSHJUMPSRV05 sshd[1660]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1660]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:03 SSHJUMPSRV05 sshd[1665]: Invalid user strasidlo68 from 192.168.2.18 port 47446 May 9 11:42:03 SSHJUMPSRV05 sshd[1665]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1665]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:03 SSHJUMPSRV05 sshd[1663]: Invalid user jozonm from 192.168.2.18 port 47440 May 9 11:42:03 SSHJUMPSRV05 sshd[1663]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1663]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:03 SSHJUMPSRV05 sshd[1568]: Received disconnect from 192.168.2.18 port 47234:11: Bye Bye [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1568]: Disconnected from authenticating user Kevin 192.168.2.18 port 47234 [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1591]: Received disconnect from 192.168.2.18 port 47364:11: Bye Bye [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1591]: Disconnected from invalid user kool 192.168.2.18 port 47364 [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1570]: Received disconnect from 192.168.2.18 port 47242:11: Bye Bye [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1570]: Disconnected from authenticating user Kevin 192.168.2.18 port 47242 [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1668]: Invalid user strasidlo68 from 192.168.2.18 port 47460 May 9 11:42:03 SSHJUMPSRV05 sshd[1668]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1668]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:03 SSHJUMPSRV05 sshd[1572]: Received disconnect from 192.168.2.18 port 47252:11: Bye Bye [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1572]: Disconnected from authenticating user Kevin 192.168.2.18 port 47252 [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1670]: Invalid user strasidlo68 from 192.168.2.18 port 47466 May 9 11:42:03 SSHJUMPSRV05 sshd[1670]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1670]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:03 SSHJUMPSRV05 sshd[1672]: Invalid user strasidlo68 from 192.168.2.18 port 47468 May 9 11:42:03 SSHJUMPSRV05 sshd[1672]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:03 SSHJUMPSRV05 sshd[1567]: Received disconnect from 192.168.2.18 port 47230:11: Bye Bye [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1567]: Disconnected from authenticating user Kevin 192.168.2.18 port 47230 [preauth] May 9 11:42:03 SSHJUMPSRV05 sshd[1674]: Invalid user strasidlo68 from 192.168.2.18 port 47478 May 9 11:42:03 SSHJUMPSRV05 sshd[1674]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:03 SSHJUMPSRV05 sshd[1676]: Invalid user dano12113 from 192.168.2.18 port 47496 May 9 11:42:03 SSHJUMPSRV05 sshd[1676]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:03 SSHJUMPSRV05 sshd[1676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:04 SSHJUMPSRV05 sshd[1652]: Failed password for invalid user kool from 192.168.2.18 port 47368 ssh2 May 9 11:42:04 SSHJUMPSRV05 sshd[1665]: Failed password for invalid user strasidlo68 from 192.168.2.18 port 47446 ssh2 May 9 11:42:04 SSHJUMPSRV05 sshd[1663]: Failed password for invalid user jozonm from 192.168.2.18 port 47440 ssh2 May 9 11:42:04 SSHJUMPSRV05 sshd[1665]: Received disconnect from 192.168.2.18 port 47446:11: Bye Bye [preauth] May 9 11:42:04 SSHJUMPSRV05 sshd[1665]: Disconnected from invalid user strasidlo68 192.168.2.18 port 47446 [preauth] May 9 11:42:04 SSHJUMPSRV05 sshd[1654]: Failed password for invalid user jozonm from 192.168.2.18 port 47392 ssh2 May 9 11:42:04 SSHJUMPSRV05 sshd[1656]: Failed password for invalid user jozonm from 192.168.2.18 port 47404 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1668]: Failed password for invalid user strasidlo68 from 192.168.2.18 port 47460 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1678]: Invalid user dano12113 from 192.168.2.18 port 47518 May 9 11:42:05 SSHJUMPSRV05 sshd[1678]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:05 SSHJUMPSRV05 sshd[1678]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:05 SSHJUMPSRV05 sshd[1658]: Failed password for invalid user jozonm from 192.168.2.18 port 47414 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1659]: Failed password for invalid user jozonm from 192.168.2.18 port 47418 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1670]: Failed password for invalid user strasidlo68 from 192.168.2.18 port 47466 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1660]: Failed password for invalid user jozonm from 192.168.2.18 port 47434 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1672]: Failed password for invalid user strasidlo68 from 192.168.2.18 port 47468 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1663]: Received disconnect from 192.168.2.18 port 47440:11: Bye Bye [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1663]: Disconnected from invalid user jozonm 192.168.2.18 port 47440 [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1668]: Received disconnect from 192.168.2.18 port 47460:11: Bye Bye [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1668]: Disconnected from invalid user strasidlo68 192.168.2.18 port 47460 [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1674]: Failed password for invalid user strasidlo68 from 192.168.2.18 port 47478 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1670]: Received disconnect from 192.168.2.18 port 47466:11: Bye Bye [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1670]: Disconnected from invalid user strasidlo68 192.168.2.18 port 47466 [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1672]: Received disconnect from 192.168.2.18 port 47468:11: Bye Bye [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1672]: Disconnected from invalid user strasidlo68 192.168.2.18 port 47468 [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1680]: Invalid user dano12113 from 192.168.2.18 port 47534 May 9 11:42:05 SSHJUMPSRV05 sshd[1680]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:05 SSHJUMPSRV05 sshd[1680]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:05 SSHJUMPSRV05 sshd[1674]: Received disconnect from 192.168.2.18 port 47478:11: Bye Bye [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1674]: Disconnected from invalid user strasidlo68 192.168.2.18 port 47478 [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1682]: Invalid user dano12113 from 192.168.2.18 port 47550 May 9 11:42:05 SSHJUMPSRV05 sshd[1682]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:05 SSHJUMPSRV05 sshd[1682]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:05 SSHJUMPSRV05 sshd[1683]: Invalid user dano12113 from 192.168.2.18 port 47564 May 9 11:42:05 SSHJUMPSRV05 sshd[1683]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:05 SSHJUMPSRV05 sshd[1683]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:05 SSHJUMPSRV05 sshd[1685]: Invalid user dano12113 from 192.168.2.18 port 47572 May 9 11:42:05 SSHJUMPSRV05 sshd[1688]: Invalid user AlohaMann from 192.168.2.18 port 47586 May 9 11:42:05 SSHJUMPSRV05 sshd[1685]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:05 SSHJUMPSRV05 sshd[1685]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:05 SSHJUMPSRV05 sshd[1688]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:05 SSHJUMPSRV05 sshd[1688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:05 SSHJUMPSRV05 sshd[1676]: Failed password for invalid user dano12113 from 192.168.2.18 port 47496 ssh2 May 9 11:42:05 SSHJUMPSRV05 sshd[1652]: Received disconnect from 192.168.2.18 port 47368:11: Bye Bye [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1652]: Disconnected from invalid user kool 192.168.2.18 port 47368 [preauth] May 9 11:42:05 SSHJUMPSRV05 sshd[1690]: Invalid user AlohaMann from 192.168.2.18 port 47588 May 9 11:42:05 SSHJUMPSRV05 sshd[1690]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:05 SSHJUMPSRV05 sshd[1690]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:06 SSHJUMPSRV05 sshd[1676]: Received disconnect from 192.168.2.18 port 47496:11: Bye Bye [preauth] May 9 11:42:06 SSHJUMPSRV05 sshd[1676]: Disconnected from invalid user dano12113 192.168.2.18 port 47496 [preauth] May 9 11:42:06 SSHJUMPSRV05 sshd[1692]: Invalid user AlohaMann from 192.168.2.18 port 47590 May 9 11:42:06 SSHJUMPSRV05 sshd[1692]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:06 SSHJUMPSRV05 sshd[1692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:06 SSHJUMPSRV05 sshd[1654]: Received disconnect from 192.168.2.18 port 47392:11: Bye Bye [preauth] May 9 11:42:06 SSHJUMPSRV05 sshd[1654]: Disconnected from invalid user jozonm 192.168.2.18 port 47392 [preauth] May 9 11:42:06 SSHJUMPSRV05 sshd[1678]: Failed password for invalid user dano12113 from 192.168.2.18 port 47518 ssh2 May 9 11:42:07 SSHJUMPSRV05 sshd[1656]: Received disconnect from 192.168.2.18 port 47404:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1656]: Disconnected from invalid user jozonm 192.168.2.18 port 47404 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1680]: Failed password for invalid user dano12113 from 192.168.2.18 port 47534 ssh2 May 9 11:42:07 SSHJUMPSRV05 sshd[1695]: Invalid user Fappy4 from 192.168.2.18 port 47614 May 9 11:42:07 SSHJUMPSRV05 sshd[1695]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:07 SSHJUMPSRV05 sshd[1695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:07 SSHJUMPSRV05 sshd[1658]: Received disconnect from 192.168.2.18 port 47414:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1658]: Disconnected from invalid user jozonm 192.168.2.18 port 47414 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1694]: Invalid user AlohaMann from 192.168.2.18 port 47608 May 9 11:42:07 SSHJUMPSRV05 sshd[1682]: Failed password for invalid user dano12113 from 192.168.2.18 port 47550 ssh2 May 9 11:42:07 SSHJUMPSRV05 sshd[1659]: Received disconnect from 192.168.2.18 port 47418:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1659]: Disconnected from invalid user jozonm 192.168.2.18 port 47418 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1660]: Received disconnect from 192.168.2.18 port 47434:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1660]: Disconnected from invalid user jozonm 192.168.2.18 port 47434 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1694]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:07 SSHJUMPSRV05 sshd[1694]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:07 SSHJUMPSRV05 sshd[1683]: Failed password for invalid user dano12113 from 192.168.2.18 port 47564 ssh2 May 9 11:42:07 SSHJUMPSRV05 sshd[1698]: Invalid user Fappy4 from 192.168.2.18 port 47624 May 9 11:42:07 SSHJUMPSRV05 sshd[1685]: Failed password for invalid user dano12113 from 192.168.2.18 port 47572 ssh2 May 9 11:42:07 SSHJUMPSRV05 sshd[1698]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:07 SSHJUMPSRV05 sshd[1698]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:07 SSHJUMPSRV05 sshd[1688]: Failed password for invalid user AlohaMann from 192.168.2.18 port 47586 ssh2 May 9 11:42:07 SSHJUMPSRV05 sshd[1701]: Invalid user Fappy4 from 192.168.2.18 port 47638 May 9 11:42:07 SSHJUMPSRV05 sshd[1701]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:07 SSHJUMPSRV05 sshd[1701]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:07 SSHJUMPSRV05 sshd[1699]: Invalid user Fappy4 from 192.168.2.18 port 47632 May 9 11:42:07 SSHJUMPSRV05 sshd[1699]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:07 SSHJUMPSRV05 sshd[1699]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:07 SSHJUMPSRV05 sshd[1690]: Failed password for invalid user AlohaMann from 192.168.2.18 port 47588 ssh2 May 9 11:42:07 SSHJUMPSRV05 sshd[1678]: Received disconnect from 192.168.2.18 port 47518:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1678]: Disconnected from invalid user dano12113 192.168.2.18 port 47518 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1688]: Received disconnect from 192.168.2.18 port 47586:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1688]: Disconnected from invalid user AlohaMann 192.168.2.18 port 47586 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1680]: Received disconnect from 192.168.2.18 port 47534:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1680]: Disconnected from invalid user dano12113 192.168.2.18 port 47534 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1682]: Received disconnect from 192.168.2.18 port 47550:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1682]: Disconnected from invalid user dano12113 192.168.2.18 port 47550 [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1683]: Received disconnect from 192.168.2.18 port 47564:11: Bye Bye [preauth] May 9 11:42:07 SSHJUMPSRV05 sshd[1683]: Disconnected from invalid user dano12113 192.168.2.18 port 47564 [preauth] May 9 11:42:08 SSHJUMPSRV05 sshd[1685]: Received disconnect from 192.168.2.18 port 47572:11: Bye Bye [preauth] May 9 11:42:08 SSHJUMPSRV05 sshd[1685]: Disconnected from invalid user dano12113 192.168.2.18 port 47572 [preauth] May 9 11:42:08 SSHJUMPSRV05 sshd[1705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:42:08 SSHJUMPSRV05 sshd[1706]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:42:08 SSHJUMPSRV05 sshd[1704]: Accepted password for Kevin from 192.168.2.18 port 47676 ssh2 May 9 11:42:08 SSHJUMPSRV05 sshd[1704]: pam_unix(sshd:session): session opened for user Kevin(uid=1000) by (uid=0) May 9 11:42:08 SSHJUMPSRV05 systemd-logind[664]: New session 4 of user Kevin. May 9 11:42:08 SSHJUMPSRV05 sshd[1690]: Received disconnect from 192.168.2.18 port 47588:11: Bye Bye [preauth] May 9 11:42:08 SSHJUMPSRV05 sshd[1690]: Disconnected from invalid user AlohaMann 192.168.2.18 port 47588 [preauth] May 9 11:42:08 SSHJUMPSRV05 sshd[1709]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:42:08 SSHJUMPSRV05 sshd[1712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:42:08 SSHJUMPSRV05 sshd[1714]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:42:08 SSHJUMPSRV05 sshd[1716]: Invalid user Alien35 from 192.168.2.18 port 47738 May 9 11:42:08 SSHJUMPSRV05 sshd[1716]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:08 SSHJUMPSRV05 sshd[1716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:08 SSHJUMPSRV05 sshd[1717]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 user=Kevin May 9 11:42:08 SSHJUMPSRV05 sshd[1768]: Received disconnect from 192.168.2.18 port 47676:11: Bye Bye May 9 11:42:08 SSHJUMPSRV05 sshd[1768]: Disconnected from user Kevin 192.168.2.18 port 47676 May 9 11:42:08 SSHJUMPSRV05 sshd[1704]: pam_unix(sshd:session): session closed for user Kevin May 9 11:42:08 SSHJUMPSRV05 systemd-logind[664]: Session 4 logged out. Waiting for processes to exit. May 9 11:42:08 SSHJUMPSRV05 systemd-logind[664]: Removed session 4. May 9 11:42:08 SSHJUMPSRV05 sshd[1692]: Failed password for invalid user AlohaMann from 192.168.2.18 port 47590 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1692]: Received disconnect from 192.168.2.18 port 47590:11: Bye Bye [preauth] May 9 11:42:09 SSHJUMPSRV05 sshd[1692]: Disconnected from invalid user AlohaMann 192.168.2.18 port 47590 [preauth] May 9 11:42:09 SSHJUMPSRV05 sshd[1770]: Invalid user onko23 from 192.168.2.18 port 50014 May 9 11:42:09 SSHJUMPSRV05 sshd[1770]: pam_unix(sshd:auth): check pass; user unknown May 9 11:42:09 SSHJUMPSRV05 sshd[1770]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.18 May 9 11:42:09 SSHJUMPSRV05 sshd[1695]: Failed password for invalid user Fappy4 from 192.168.2.18 port 47614 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1705]: Failed password for Kevin from 192.168.2.18 port 47688 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1694]: Failed password for invalid user AlohaMann from 192.168.2.18 port 47608 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1706]: Failed password for Kevin from 192.168.2.18 port 47704 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1698]: Failed password for invalid user Fappy4 from 192.168.2.18 port 47624 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1709]: Failed password for Kevin from 192.168.2.18 port 47714 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1701]: Failed password for invalid user Fappy4 from 192.168.2.18 port 47638 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1712]: Failed password for Kevin from 192.168.2.18 port 47716 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1699]: Failed password for invalid user Fappy4 from 192.168.2.18 port 47632 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1714]: Failed password for Kevin from 192.168.2.18 port 47732 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1716]: Failed password for invalid user Alien35 from 192.168.2.18 port 47738 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1717]: Failed password for Kevin from 192.168.2.18 port 47752 ssh2 May 9 11:42:09 SSHJUMPSRV05 sshd[1705]: Connection closed by authenticating user Kevin 192.168.2.18 port 47688 [preauth] May 9 11:42:09 SSHJUMPSRV05 sshd[1706]: Connection closed by authenticating user Kevin 192.168.2.18 port 47704 [preauth] May 9 11:42:10 SSHJUMPSRV05 sshd[1709]: Connection closed by authenticating user Kevin 192.168.2.18 port 47714 [preauth] May 9 11:42:10 SSHJUMPSRV05 sshd[1712]: Connection closed by authenticating user Kevin 192.168.2.18 port 47716 [preauth] May 9 11:42:10 SSHJUMPSRV05 sshd[1714]: Connection closed by authenticating user Kevin 192.168.2.18 port 47732 [preauth] May 9 11:42:10 SSHJUMPSRV05 sshd[1717]: Connection closed by authenticating user Kevin 192.168.2.18 port 47752 [preauth] May 9 11:42:10 SSHJUMPSRV05 sshd[1770]: Failed password for invalid user onko23 from 192.168.2.18 port 50014 ssh2 May 9 11:42:10 SSHJUMPSRV05 sshd[1770]: Connection closed by invalid user onko23 192.168.2.18 port 50014 [preauth] May 9 11:42:11 SSHJUMPSRV05 sshd[1716]: Connection closed by invalid user Alien35 192.168.2.18 port 47738 [preauth] May 9 11:42:11 SSHJUMPSRV05 sshd[1695]: Connection closed by invalid user Fappy4 192.168.2.18 port 47614 [preauth] May 9 11:42:11 SSHJUMPSRV05 sshd[1698]: Connection closed by invalid user Fappy4 192.168.2.18 port 47624 [preauth] May 9 11:42:11 SSHJUMPSRV05 sshd[1701]: Connection closed by invalid user Fappy4 192.168.2.18 port 47638 [preauth] May 9 11:42:11 SSHJUMPSRV05 sshd[1699]: Connection closed by invalid user Fappy4 192.168.2.18 port 47632 [preauth] May 9 11:42:11 SSHJUMPSRV05 sshd[1694]: Connection closed by invalid user AlohaMann 192.168.2.18 port 47608 [preauth] May 9 11:42:59 SSHJUMPSRV05 sshd[687]: exited MaxStartups throttling after 00:01:00, 15 connections dropped ================================================ FILE: MasterParser Training/02 - Exercises and Scenarios to investigate/04 - Reconnaissance Activity/Auth.Log Reconnaissance Activity ================================================ May 9 14:03:44 UBUSRV01 sshd[715]: Server listening on 0.0.0.0 port 22. May 9 14:03:44 UBUSRV01 sshd[715]: Server listening on :: port 22. May 9 14:03:44 UBUSRV01 systemd-logind[668]: New seat seat0. May 9 14:03:44 UBUSRV01 systemd-logind[668]: Watching system buttons on /dev/input/event0 (Power Button) May 9 14:03:44 UBUSRV01 systemd-logind[668]: Watching system buttons on /dev/input/event1 (Sleep Button) May 9 14:03:44 UBUSRV01 systemd-logind[668]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard) May 9 14:03:58 UBUSRV01 sshd[1081]: Accepted password for eilay from 192.168.2.1 port 57399 ssh2 May 9 14:03:58 UBUSRV01 sshd[1081]: pam_unix(sshd:session): session opened for user eilay(uid=1000) by (uid=0) May 9 14:03:58 UBUSRV01 systemd-logind[668]: New session 1 of user eilay. May 9 14:03:58 UBUSRV01 systemd: pam_unix(systemd-user:session): session opened for user eilay(uid=1000) by (uid=0) May 9 14:04:14 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/whoami May 9 14:04:14 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:04:14 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:04:25 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/ps aux May 9 14:04:25 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:04:25 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:04:32 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/grep root /etc/crontab May 9 14:04:32 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:04:32 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:05:31 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/bin/bash --version May 9 14:05:31 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:05:31 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:05:45 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/uname --all May 9 14:05:45 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:05:45 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:05:48 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/sbin/useradd Max May 9 14:05:48 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:05:48 UBUSRV01 useradd[1235]: new group: name=Max, GID=1001 May 9 14:05:48 UBUSRV01 useradd[1235]: new user: name=Max, UID=1001, GID=1001, home=/home/Max, shell=/bin/sh, from=/dev/pts/1 May 9 14:05:48 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:05:53 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/passwd root May 9 14:05:53 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:05:57 UBUSRV01 passwd[1244]: pam_unix(passwd:chauthtok): password changed for root May 9 14:05:57 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:06:20 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/cat /etc/sudoers May 9 14:06:20 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:06:20 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:06:24 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow May 9 14:06:24 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:06:24 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:06:33 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/cut -d : -f 1 /etc/passwd May 9 14:06:33 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:06:33 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:06:46 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz May 9 14:06:46 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:07:06 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:07:09 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/sbin/groupadd Barium May 9 14:07:09 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:07:09 UBUSRV01 groupadd[1259]: group added to /etc/group: name=Barium, GID=1002 May 9 14:07:09 UBUSRV01 groupadd[1259]: group added to /etc/gshadow: name=Barium May 9 14:07:09 UBUSRV01 groupadd[1259]: new group: name=Barium, GID=1002 May 9 14:07:09 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:07:44 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/sbin/groupadd Barium May 9 14:07:44 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:07:44 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:08:39 UBUSRV01 sudo: eilay : TTY=pts/0 ; PWD=/home/eilay ; USER=root ; COMMAND=/usr/bin/passwd root May 9 14:08:39 UBUSRV01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by eilay(uid=1000) May 9 14:08:42 UBUSRV01 passwd[1278]: pam_unix(passwd:chauthtok): password changed for root May 9 14:08:42 UBUSRV01 sudo: pam_unix(sudo:session): session closed for user root May 9 14:09:13 UBUSRV01 sshd[1279]: Connection closed by 192.168.2.1 port 57441 [preauth] May 9 14:09:20 UBUSRV01 sshd[1281]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.1 user=root May 9 14:09:22 UBUSRV01 sshd[1281]: Failed password for root from 192.168.2.1 port 57442 ssh2 May 9 14:09:24 UBUSRV01 sshd[1281]: Connection closed by authenticating user root 192.168.2.1 port 57442 [preauth] May 9 14:09:40 UBUSRV01 sshd[1284]: Accepted password for eilay from 192.168.2.1 port 57444 ssh2 May 9 14:09:40 UBUSRV01 sshd[1284]: pam_unix(sshd:session): session opened for user eilay(uid=1000) by (uid=0) May 9 14:09:40 UBUSRV01 systemd-logind[668]: New session 3 of user eilay. May 9 14:09:48 UBUSRV01 sshd[1190]: Received disconnect from 192.168.2.1 port 57399:11: disconnected by user May 9 14:09:48 UBUSRV01 sshd[1190]: Disconnected from user eilay 192.168.2.1 port 57399 May 9 14:09:48 UBUSRV01 sshd[1081]: pam_unix(sshd:session): session closed for user eilay May 9 14:09:48 UBUSRV01 systemd-logind[668]: Session 1 logged out. Waiting for processes to exit. May 9 14:09:48 UBUSRV01 systemd-logind[668]: Removed session 1. ================================================ FILE: MasterParser.ps1 ================================================ param( # Options [Parameter(Mandatory = $true)] [ValidateSet('Start','Menu','Update','Purge')] [string]$O, # Mode [Parameter(Mandatory = $false)] [ValidateSet('Developer')] [string]$Mode ) # current script version $CurrentVersion = "v2.5" # tool running path. $RunningPath = Get-Location # Dot Sourcing -> 00-Banner.ps1 . "$RunningPath\03-Options\00-Banner.ps1" # Dot Sourcing -> 05-functions.ps1 . "$RunningPath\03-Options\05-functions.ps1" # space Write-Output "" switch ($Mode) { 'Developer' { $Mode = "Developer" } } switch ($O) { 'Start' { # HashTable to store all the $Log names that was analysed by the ParserMaster $AnalysedLog = @{} # HashTable to store all the $Log names that are not supported by ParserMaster $UnsupportedLog = @{} #List to contain all the $Log files that found a machtch $VerifiedLogList = @() # Log Types HashTable. $LogTypeList = @{ 'Auth.Log' = 'Empty' } # variable to store all the files under 01-Logs folder. $Logs = Get-Item -Path "$RunningPath\01-Logs\*" | Select-Object -ExpandProperty Name # variable to store 0 in it. $LogFileCount = 0 # iterate file names under 01-Logs. foreach ($Log in $Logs) { # clean the flag in each foreach iteration $WasExtracted = $null # each $Log add 1 to $LogFileCount flag. $LogFileCount++ # foreach statment to iterate on each key under $LogTypeList hashtable. foreach ($Key in $LogTypeList.Keys) { # clean this flag each iteration $WasExtracted = $null # statment to execute if a log file under 01-Logs was found uner $LogTypeList hashtable. if ($Log -match $Key) { # list for match found logs $VerifiedLogList += $Log # execute this on .gz files. if ($Log -like "*.gz") { # flag to state that the log was extracted from a GZip $WasExtracted = "True" # Save GZip file name in a variable $GZipName = $Log # Specify the .gz file paths $archivePath = "$RunningPath\01-Logs\$Log" $destinationPath = "$RunningPath\01-Logs\" # Create a FileStream to read the .gz file $fileStream = [System.IO.File]::OpenRead($archivePath) # Create a GZipStream to decompress the file $gzipStream = New-Object IO.Compression.GZipStream $fileStream,([IO.Compression.CompressionMode]::Decompress) # Create a FileStream to write the decompressed data to $destFilePath = Join-Path $destinationPath (Get-Item $archivePath).BaseName $destFileStream = [System.IO.File]::Create($destFilePath) # Copy data from the compressed stream to the destination file $gzipStream.CopyTo($destFileStream) # Close the streams $gzipStream.Close() $fileStream.Close() $destFileStream.Close() # End of GZip Extraction # execute MasterParser on the GZip output file. $Log = $Log -replace '\.gz','' # list for match found logs $VerifiedLogList += $Log . "$RunningPath\02-LogModules\$Key\$Key.ps1" $LogMatchFlag = "True" $Results = $Log+$RunningTime $AnalysedLog[$Results] = $Result = "| Log Name: $Log | Archived From: $GZipName | Running Time: $RunningTime |" } # execute this on non .gz files. else { . "$RunningPath\02-LogModules\$Key\$Key.ps1" $LogMatchFlag = "True" # add log names to this hashtable list $Results = $Log+$RunningTime $AnalysedLog[$Results] = $Result = "| Log Name: $Log | Archived From: Not Archived | Running Time: $RunningTime |" #$Results = $null } } # execute if the the $Log name is not found under $LogTypeList hashtable list else { $UnsupportedLog[$Log] = "- $Log" } } } # if statment to write message if 01-Logs is empty. if ($LogFileCount -eq 0) { Write-Output "Logs Folder is Empty" Write-Output "+------------------+" Write-Output "[!] Error: Folder -> $RunningPath\01-Logs is empty!" Write-Output "[!] Insert logs into the '01-Logs' folder for the MasterParser to function properly." Write-Output "" } else { # print the hashtable of logs that been analyzed by MasterParser Write-Output "List of Successfully Analyzed Logs" # Initialize variables to store maximum lengths $MaxChar_LogNameCut = 0 $MaxChar_ArchiveCut = 0 $MaxChar_RunningTimeCut = 0 foreach ($Key in $AnalysedLog.Keys) { # Get the fiel name $RemoveStart = $AnalysedLog[$Key] -replace '.*Log Name\: ','' $LogNameCut = $RemoveStart -replace ' \| Archived From\:.*','' # Get the archive status $RemoveStart = $AnalysedLog[$Key] -replace '.*Archived From\: ','' $ArchiveCut = $RemoveStart -replace ' \| Running Time\:.*','' # Get the running time $RemoveStart = $AnalysedLog[$Key] -replace '.*Running Time\: ','' $RunningTimeCut = $RemoveStart -replace ' \|.*','' # Update max lengths if necessary $MaxChar_LogNameCut = [math]::Max($MaxChar_LogNameCut,$LogNameCut.Length) $MaxChar_ArchiveCut = [math]::Max($MaxChar_ArchiveCut,$ArchiveCut.Length) $MaxChar_RunningTimeCut = [math]::Max($MaxChar_RunningTimeCut,$RunningTimeCut.Length) } # flag to stop $Border iteration after first iteration $TheFlag = "Enable" foreach ($Key in $AnalysedLog.Keys) { # Get the fiel name $RemoveStart = $AnalysedLog[$Key] -replace '.*Log Name\: ','' $LogNameCut = $RemoveStart -replace ' \| Archived From\:.*','' # Get the archive status $RemoveStart = $AnalysedLog[$Key] -replace '.*Archived From\: ','' $ArchiveCut = $RemoveStart -replace ' \| Running Time\:.*','' # Get the running time $RemoveStart = $AnalysedLog[$Key] -replace '.*Running Time\: ','' $RunningTimeCut = $RemoveStart -replace ' \|.*','' $LogNameCut = $LogNameCut.PadRight($MaxChar_LogNameCut) $ArchiveCut = $ArchiveCut.PadRight($MaxChar_ArchiveCut) $RunningTimeCut = $RunningTimeCut.PadRight($MaxChar_RunningTimeCut) $TheResult = "| Log Name: $LogNameCut | Extracted From: $ArchiveCut | Run Time: $auth_log_run_time |" # multiply $Result.Length with "-" hyfen symbol to get the boarder $Border = '-' * ($TheResult.Length - 2) # print the result in a table if ($TheFlag -match "Enable") { Write-Output "+$Border+" $TheFlag = "Disable" } $TheResult } Write-Output "+$Border+" Write-Output "" } # iteration to remove all the logs that found at least 1 time from the $UnsupportedLog hashtable foreach ($VLog in $VerifiedLogList) { $UnsupportedLog.Remove($VLog) } # statment to execute if a log file under 01-Logs NOT found uner $LogTypeList hashtable. if ($UnsupportedLog.Values.Count -ge 1) { Write-Output "List of Unsupported Logs" Write-Output "+----------------------+" $UnsupportedLog.Values Write-Output "" } } 'Update' { # Dot Sourcing -> 01-Update.ps1 . "$RunningPath\03-Options\01-Update.ps1" # stop the script here exit } 'Menu' { # Dot Sourcing -> 03-Menu.ps1 . "$RunningPath\03-Options\03-Menu.ps1" # stop the script here exit } 'Purge' { # Dot Sourcing -> 04-Purge.ps1 . "$RunningPath\03-Options\04-Purge.ps1" # stop the script here exit } } ================================================ FILE: README.md ================================================ # MasterParser v2.5 ###### Stop wasting time, let MasterParser do the work! ![MasterParserBanner](https://github.com/YosfanEilay/MasterParser/assets/132997318/c6cbcc3f-e966-4329-aec0-c6fe8bc80bb2) ###### Created & Maintained by: [Eilay Yosfan](https://github.com/YosfanEilay#-eilay-yosfan) ## What is MasterParser ? MasterParser stands as a robust Digital Forensics and Incident Response tool meticulously crafted for the analysis of Linux logs within the var/log directory. Specifically designed to expedite the investigative process for security incidents on Linux systems, MasterParser adeptly scans supported logs, such as auth.log for example, extract critical details including SSH logins, user creations, event names, IP addresses and much more. The tool's generated summary presents this information in a clear and concise format, enhancing efficiency and accessibility for Incident Responders. Beyond its immediate utility for DFIR teams, MasterParser proves invaluable to the broader InfoSec and IT community, contributing significantly to the swift and comprehensive assessment of security events on Linux platforms. ## MasterParser Training Materials We have developed a comprehensive set of [training materials](https://github.com/securityjoes/MasterParser/tree/main/MasterParser%20Training/02%20-%20Exercises%20and%20Scenarios%20to%20investigate) to help you get the most out of MasterParser. These resources are designed to provide practical, real-world scenarios that you might encounter, such as brute force attacks, reconnaissance activities, and more. By training with these materials, you'll gain hands-on experience and deeper insights into how MasterParser can be utilized effectively. In addition to practical scenarios, we have also created a comprehensive [PDF presentation](https://github.com/securityjoes/MasterParser/tree/main/MasterParser%20Training/01%20-%20MasterParser%20Presentation) ,this presentation covers everything you need to know before using MasterParser. All these resources are conveniently organized in a folder called [MasterParser Training](https://github.com/securityjoes/MasterParser/tree/main/MasterParser%20Training) within the repository. Whether you are new to MasterParser or looking to deepen your expertise, these materials will provide valuable guidance and support. In addition to all of the materials, there is also a [live recorded workshop](https://www.youtube.com/watch?v=7YfpShZM-4k) on how to use MasterParser that can be found on YouTube under the Security Joes YouTube channel. ## MasterParser Wallpapers Love MasterParser as much as we do?
Dive into the fun and jazz up your screen with our exclusive MasterParser wallpapers!
Click the link below and get ready to add a splash of excitement to your device!
[Download Wallpaper](https://postimg.cc/gallery/70SrXcf) ## Supported Logs Format This is the list of supported log formats within the var/log directory that MasterParser can analyze.
In future updates, MasterParser will support additional log formats for analysis. |Supported Log Formats List| | --- | | auth.log | ## Feature & Log Format Requests: If you wish to propose the addition of a new feature \ log format,
kindly submit your request by creating an issue
[Click here to create a request](https://github.com/YosfanEilay/MasterParser/issues/new) ## How To Use ? ![howto use](https://github.com/YosfanEilay/AuthLogParser/assets/132997318/2d663c04-88a3-412b-aa5c-99ad48d45ba1) ### How To Use - Text Guide 1. From this GitHub repository press on "<> Code" and then press on "Download ZIP". 2. From "MasterParser-main.zip" export the folder "MasterParser-main" to you Desktop. 3. Open a PowerShell terminal and navigate to the "MasterParser-main" folder. ``` # How to navigate to "MasterParser-main" folder from the PS terminal PS C:\> cd "C:\Users\user\Desktop\MasterParser-main\" ``` 4. Now you can execute the tool, for example see the tool command menu, do this: ``` # How to show MasterParser menu PS C:\Users\user\Desktop\MasterParser-main> .\MasterParser.ps1 -O Menu ``` 5. To run the tool, put all your /var/log/* logs in to the 01-Logs folder, and execute the tool like this: ``` # How to run MasterParser PS C:\Users\user\Desktop\MasterParser-main> .\MasterParser.ps1 -O Start ``` 6. That's it, enjoy the tool! ### How To Use - Video Guide https://github.com/YosfanEilay/MasterParser/assets/132997318/d26b4b3f-7816-42c3-be7f-7ee3946a2c70 ### MasterParser Social Media Publications |Social Media Posts| | --- | | 1. [First Tool Post](https://www.linkedin.com/feed/update/urn:li:activity:7144214785243492352/) | | 2. [First Tool Story Publication By Help Net Security](https://www.helpnetsecurity.com/2024/01/08/authlogparser-open-source-analyzing-linux-authentication-logs/) | | 3. [Second Tool Story Publication By Forensic Focus](https://www.forensicfocus.com/interviews/eilay-yosfan-threat-researcher-security-joes/) | | 4. [MasterParser featured in Help Net Security: 20 Essential Open-Source Cybersecurity Tools That Save You Time](https://www.helpnetsecurity.com/2024/03/25/essential-open-source-cybersecurity-tools/) | | 5. [Tool Story Publication By endpointcave Newsletter](https://endpointcave.com/newsletter/newsletter-7-2024/0) |