#### SSH {{{
Invalid user inexu from 6.6.6.0
100 6.6.6.0 4 10
M
Invalid user inexu from 2001:db8::a11:beef:7ac0
100 2001:db8::a11:beef:7ac0 6 10
M
Invalid user inexu from 2001:db8::a11:beef:7ac0%abcdefgh1234567
100 2001:db8::a11:beef:7ac0 6 10
M
User mario from 6.6.6.0 not allowed because XYZ
100 6.6.6.0 4 10
M
ROOT LOGIN REFUSED FROM 6.6.6.0 port 14423
100 6.6.6.0 4 10
M
ROOT LOGIN REFUSED FROM 2001:db8::a11:beef:7ac1 port 14423
100 2001:db8::a11:beef:7ac1 6 10
M
ROOT LOGIN REFUSED FROM 1.2.3.4 port 14423 [preauth]
100 1.2.3.4 4 10
M
ROOT LOGIN REFUSED FROM 2001:db8::a11:beef:7ac1 port 14423 [preauth]
100 2001:db8::a11:beef:7ac1 6 10
M
User mario from 2001:db8::a11:beef:7ac0 not allowed because XYZ
100 2001:db8::a11:beef:7ac0 6 10
M
User mario from 2001:db8::a11:beef:7ac0%lo not allowed because XYZ
100 2001:db8::a11:beef:7ac0 6 10
M
Failed XYZ for XYZ from 6.6.6.0 port 14423 ssh2
100 6.6.6.0 4 10
M
Failed XYZ for XYZ from 2001:db8::a11:beef:7ac0 port 14423 ssh2
100 2001:db8::a11:beef:7ac0 6 10
M
Failed XYZ for XYZ from 2001:db8::a11:beef:7ac1 port 14423 ssh2: ED25519 SHA256:0123456789ABCDEF+/0123456789ABCDEF+/0123456
100 2001:db8::a11:beef:7ac1 6 10
M
Failed XYZ for XYZ from 1.2.3.4 port 14423 ssh2: ECDSA sha256:0123456789abcdef+/0123456789abcdef+/0123456
100 1.2.3.4 4 10
M
Failed XYZ for XYZ from 2001:db8::a11:beef:7ac1 port 14423 ssh2: rsa MD5:01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF
100 2001:db8::a11:beef:7ac1 6 10
M
Failed XYZ for XYZ from 1.2.3.4 port 14423 ssh2: dsa md5:01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef
100 1.2.3.4 4 10
M
Failed XYZ for XYZ from 2001:db8::a11:beef:7ac0%enp3s0 port 14423 ssh2
100 2001:db8::a11:beef:7ac0 6 10
M
fatal: Unable to negotiate with 6.6.6.6 port 2222: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1
100 6.6.6.6 4 10
M
error: PAM: authentication failure for mario from 6.6.6.0
100 6.6.6.0 4 10
M
error: PAM: authentication failure for mario from 2001:db8::a11:beef:7ac0
100 2001:db8::a11:beef:7ac0 6 10
M
error: PAM: authentication failure for mario from 2001:db8::a11:beef:7ac0%vbr1
100 2001:db8::a11:beef:7ac0 6 10
M
error: PAM: unknown user for illegal user mario from 6.6.6.6
100 6.6.6.6 4 10
M
Did not receive identification string from 6.6.6.0
100 6.6.6.0 4 10
M
Did not receive identification string from 2001:db8::a11:beef:7ac0
100 2001:db8::a11:beef:7ac0 6 10
M
Did not receive identification string from 2001:db8::a11:beef:7ac0%eth0
100 2001:db8::a11:beef:7ac0 6 10
M
Bad protocol version identification XYZ from 6.6.6.0
100 6.6.6.0 4 10
M
Bad protocol version identification XYZ from 2001:db8::a11:beef:7ac0
100 2001:db8::a11:beef:7ac0 6 10
M
Dec 16 21:29:46 host sshd[73122]: banner exchange: Connection from 6.6.6.0 port 65403: invalid format
100 6.6.6.0 4 10
M
Dec 16 21:29:46 host sshd[73122]: banner exchange: Connection from 2001:db8::a11:beef:7ac0 port 65403: invalid format
100 2001:db8::a11:beef:7ac0 6 10
M
Apr 10 02:43:29 quasar sshd[50112]: Connection closed by 66.240.236.119 [preauth]
100 66.240.236.119 4 2
M
Apr 10 02:43:29 quasar sshd[50112]: Connection closed by 2001:db8::a11:beef:7ac0 [preauth]
100 2001:db8::a11:beef:7ac0 6 2
M
Jun 19 09:08:14 isori sshd[93628]: Connection closed by authenticating user root 192.168.7.7 port 42728 [preauth]
100 192.168.7.7 4 2
M
Connection reset by invalid user username 1.2.3.4 port 55895 [preauth]
100 1.2.3.4 4 2
M
Connection closed by invalid user gpadmin 1.2.3.4 port 9224 [preauth]
100 1.2.3.4 4 2
M
Apr 10 13:50:24 quasar sshd[53269]: error: Received disconnect from 95.9.156.208: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
*
M
Apr 10 13:50:24 quasar sshd[53269]: error: Received disconnect from 2001:db8::a11:beef:7ac0: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
*
M
Apr 10 06:55:42 quasar sshd[50880]: Received disconnect from 130.207.203.56: 11: These aren't the droids we're looking for. [preauth]
*
M
Apr 10 06:55:42 quasar sshd[50880]: Received disconnect from 2001:db8::a11:beef:7ac0: 11: These aren't the droids we're looking for. [preauth]
*
M
Apr  9 13:24:07 quasar sshd[44787]: Received disconnect from 103.237.33.58: 11: Bye Bye [preauth]
*
M
Apr  9 13:24:07 quasar sshd[44787]: Received disconnect from 2001:db8::a11:beef:7ac0: 11: Bye Bye [preauth]
*
M
2015-05-27T04:31:27.46667 auth.info: Invalid user admin from 192.168.2.1
100 192.168.2.1 4 10
M
2015-05-27T04:31:27.46667 auth.info: Invalid user admin from 2001:db8::a11:beef:7ac0
100 2001:db8::a11:beef:7ac0 6 10
M
May 29 14:44:30 epsilon sshd[4564]: error: Received disconnect from 192.168.2.200: 14: No supported authentication methods available [preauth]
*
M
May 29 14:44:30 epsilon sshd[4564]: error: Received disconnect from 2001:db8::a11:beef:7ac0: 14: No supported authentication methods available [preauth]
*
M
error: maximum authentication attempts exceeded for root from 117.81.26.226 port 4919 ssh2 [preauth]
100 117.81.26.226 4 10
M
error: maximum authentication attempts exceeded for root from 2001:db8::a11:beef:7ac0 port 4919 ssh2 [preauth]
100 2001:db8::a11:beef:7ac0 6 10
M
Invalid user support from 190.50.238.98 port 32836
100 190.50.238.98 4 10
M
Invalid user support from 2001:db8::a11:beef:7ac0 port 32836
100 2001:db8::a11:beef:7ac0 6 10
M
Failed password for invalid user admin from 172.22.10.15 port 39065 ssh2
100 172.22.10.15 4 10
M
Failed password for invalid user admin from 2001:db8::a11:beef:7ac1 port 39065 ssh2
100 2001:db8::a11:beef:7ac1 6 10
M
Jul  4 13:55:09 karpov sshd[64301]: Disconnecting invalid user user 10.42.42.42 port 38987: Change of username or service not allowed: (user,ssh-connection) -> (manager,ssh-connection) [preauth]
100 10.42.42.42 4 10
M
Disconnected from authenticating user root 1.2.3.4 port 57142 [preauth]
100 1.2.3.4 4 10
M
Disconnected from invalid user support 1.2.3.4 port 56636 [preauth]
100 1.2.3.4 4 10
M
Disconnected from 1.2.3.4 port 30761 [preauth]
100 1.2.3.4 4 10
M
Dec  1 06:25:27 server sshd[19956]: Accepted publickey for User from 1.2.3.4 port 21563 ssh2: RSA SHA256:...
*
M
Dec  1 06:25:27 server sshd[19471]: Received disconnect from 1.2.3.4 port 60058:11: disconnected by user
*
M
Dec  1 06:25:27 server sshd[19471]: Disconnected from 1.2.3.4 port 60058
*
M

# OpenSSH 7 (#81)
Dec 29 16:48:56 xxx sshd[24924]: Did not receive identification string from 5.20.95.202 port 56452
100 5.20.95.202 4 10
M
# }}}

#### Remote SSHGuard {{{
Attack from "2001:db8::a11:beef:456e" on service 100 with danger 10.
110 2001:db8::a11:beef:456e 6 10
M
Attack from "192.68.18.1" on service 100 with danger 10.
110 192.68.18.1 4 10
M
Blocking "192.68.18.2/32" for 300 secs (3 attacks in 5 secs, after 1 abuses over 5 secs.)
110 192.68.18.2 4 10
M
Blocking "2001:db8::a11:beef:456f/64" for 300 secs (3 attacks in 5 secs, after 1 abuses over 5 secs.)
110 2001:db8::a11:beef:456f 6 10
M
# }}}

#### Mail {{{
# cucipop {{{
authentication failure XYZ 6.6.6.0
230 6.6.6.0 4 10
M
authentication failure XYZ 2001:db8::a11:beef:7ac0
230 2001:db8::a11:beef:7ac0 6 10
M
# }}}

# exim {{{
authenticator failed for XYZ [6.6.6.0]:14432 I=XYZ : 535 Incorrect authentication data (set_id=test)
240 6.6.6.0 4 10
M
authenticator failed for XYZ [2001:db8::a11:beef:7ac0]:14432 I=XYZ : 535 Incorrect authentication data (set_id=test)
240 2001:db8::a11:beef:7ac0 6 10
M
# with an authenticator (here named LOGIN)
Oct 14 19:45:05 [exim] LOGIN authenticator failed for (localhost) [46.148.40.63]: 535 Incorrect authentication data (set_id=tun)
240 46.148.40.63 4 10
M
SMTP protocol error in "AUTH LOGIN" H=(XYZ) [6.6.6.0] AUTH command used when not advertised
240 6.6.6.0 4 10
M
SMTP protocol error in "AUTH LOGIN" H=(XYZ) [2001:db8::a11:beef:7ac0] AUTH command used when not advertised
240 2001:db8::a11:beef:7ac0 6 10
M
SMTP protocol error in "AUTH LOGIN" H=(XYZ) [6.6.6.0] LOGIN authentication mechanism not supported
240 6.6.6.0 4 10
M
SMTP protocol error in "AUTH LOGIN" H=(XYZ) [2001:db8::a11:beef:7ac0] LOGIN authentication mechanism not supported
240 2001:db8::a11:beef:7ac0 6 10
M
2018-06-03 13:16:08 SMTP protocol error in "AUTH LOGIN" H=(mail.example.com) [123.24.161.123] AUTH command used when not advertised: 1 Time(s)
240 123.24.161.123 4 10
M
2018-06-03 13:16:08 SMTP protocol error in "AUTH LOGIN" H=(mail.example.com) [123.24.161.123] AUTH command used when not advertised: 1 Time(s)
240 123.24.161.123 4 10
M
2018-06-03 13:35:07 SMTP protocol error in "AUTH LOGIN" H=dynamic-186-31-81-98.dynamic.etb.net.co (mail.example.com) [186.31.81.98] AUTH command used when not advertised: 1 Time(s)
240 186.31.81.98 4 10
M
2015-03-12 03:17:22 login authenticator failed for vps.o2c.net (User) [87.76.31.6]: 535 Incorrect authentication data (set_id=dog)
240 87.76.31.6 4 10
M
2015-03-12 03:17:22 login authenticator failed for vps.o2c.net (User) [2001:db8::a11:beef:7ac0]: 535 Incorrect authentication data (set_id=dog)
240 2001:db8::a11:beef:7ac0 6 10
M
1999-03-02 09:44:33 expanded_prompt_plain authenticator failed for (test.host) [10.0.0.1] U=CALLER: 535 Incorrect authentication data (set_id=userx)
240 10.0.0.1 4 10
M
1999-03-02 09:44:33 expanded_prompt_plain authenticator failed for (test.host) [2001:db8::a11:beef:7ac0] U=CALLER: 535 Incorrect authentication data (set_id=userx)
240 2001:db8::a11:beef:7ac0 6 10
M
# }}}

# sendmail {{{
Relaying denied. IP name lookup failed [6.6.6.0]
250 6.6.6.0 4 10
M
Relaying denied. IP name lookup failed [2001:db8::a11:beef:7ac0]
250 2001:db8::a11:beef:7ac0 6 10
M
# }}}

# dovecot {{{
imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1
210 6.6.6.0 4 10
M
imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=2001:db8::a11:beef:7ac0, lip=127.0.0.1
210 2001:db8::a11:beef:7ac0 6 10
M
2019-10-15 08:08:52 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<test>, method=PLAIN, rip=172.21.0.1, lip=172.21.0.3, TLS, session=<1MyTfu0USIqsFQAB>
210 172.21.0.1 4 10
M
submission-login: Disconnected: Aborted login by logging out (auth failed, 1 attempts in 2 secs): user=<sarah>, method=LOGIN, rip=1.2.3.4, lip=1.1.1.1, TLS, session=<cIMEtT/mtP8tfUIY>
210 1.2.3.4 4 10
M
# }}}

# uwimap {{{
Login failed user=XYZ auth=XYZ host=XYZ [6.6.6.0]
200 6.6.6.0 4 10
M
Login failed user=XYZ auth=XYZ host=XYZ [2001:db8::a11:beef:7ac0]
200 2001:db8::a11:beef:7ac0 6 10
M
# }}}

# cyrus {{{
badlogin: XYZ [6.6.6.0] XYZ SASL XYZ checkpass failed
220 6.6.6.0 4 10
M
badlogin: XYZ [2001:db8::a11:beef:7ac0] XYZ SASL XYZ checkpass failed
220 2001:db8::a11:beef:7ac0 6 10
M
Oct 29 18:51:24 mailsrv imaps[79980]: badlogin: [192.168.1.1] CRAM-MD5 (testbox@domain) [SASL(-13): authentication failure: incorrect digest response]
220 192.168.1.1 4 10
M
# }}}

# postfix {{{
Oct 19 19:56:07 longbeach postfix/smtpd[2309]: warning: unknown[199.19.110.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
260 199.19.110.207 4 10
M
Oct 19 19:56:07 longbeach postfix/smtpd[2309]: warning: unknown[2001:db8::a11:beef:7ac0]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
260 2001:db8::a11:beef:7ac0 6 10
M
Jun 21 12:00:56 acme postfix/submission/smtpd[20201]: warning: non-SMTP command from unknown[1.2.3.4]: GET / HTTP/1.1
260 1.2.3.4 4 10
M
warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
260 1.2.3.4 4 10
M
Dec 13 09:32:50 marcos postfix/smtpd[24754]: lost connection after AUTH from rrcs-24-213-217-114.nys.biz.rr.com[24.213.217.114]
260 24.213.217.114 4 10
M
Dec 13 09:32:50 marcos postfix/smtpd[24754]: lost connection after AUTH from rrcs-24-213-217-114.nys.biz.rr.com[2001:db8::a11:beef:7ac0]
260 2001:db8::a11:beef:7ac0 6 10
M
lost connection after CONNECT from unknown[2606:2800:220:1:248:1893:25c8:1946]
260 2606:2800:220:1:248:1893:25c8:1946 6 10
M
Jun 20 16:46:17 ares postgrey[919]: action=greylist, reason=early-retry (295s missing), client_name=r244.mail.kbc.be, client_address=172.82.231.244, sender=bounce@mail.kbc.be, recipient=lilydehoux@zeelandned.nl
260 172.82.231.244 4 10
M
Sep  6 11:47:43 poseidon postfix/postscreen[14766]: PREGREET 14 after 0.04 from [1.2.3.4]:55868: EHLO ylmf-pc\r\n
260 1.2.3.4 4 10
M
Sep 10 07:01:57 poseidon postfix/postscreen[25914]: DNSBL rank 3 for [1.2.3.4]:64273
260 1.2.3.4 4 10
M
Sep  6 11:47:43 poseidon postfix/postscreen[14766]: HANGUP after 0.07 from [1.2.3.4]:55868 in tests after SMTP handshake
260 1.2.3.4 4 10
M

# postfix with smtpd_client_port_logging
2022-04-14T00:36:03.150Z mailhub postfix/smtps/smtpd[30543]: warning: unknown[122.166.249.154]:48123: SASL LOGIN authentication failed: UGFzc3dvcmQ6
260 122.166.249.154 4 10
M
2022-04-14T00:16:57.566Z mailhub postfix/smtps/smtpd[90800]: lost connection after AUTH from 201.130.128.222.ded.telnor.net[201.130.128.222]:59123
260 201.130.128.222 4 10
M
# }}}

# OpenSMTPD {{{
38dd06274cde1fd7 smtp event=failed-command address=185.236.202.133 host=no-mans-land.m247.com command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported"
270 185.236.202.133 4 10
M
45addba89269aeaa smtp event=failed-command address=128.237.183.69 host=zeta.wv.cc.cmu.edu command="AUTH PLAIN (...)" result="535 Authentication failed"
270 128.237.183.69 4 10
M
# }}}

# cyrus {{{
imaps TLS negotiation failed: [196.52.43.55]
*
M
imaps TLS negotiation failed: [2001:470:df49:2:9df9:4e98:31e1:1720]
*
M
STARTTLS negotiation failed: [196.52.43.55]
*
M
STARTTLS negotiation failed: [2001:470:df49:2:9df9:4e98:31e1:1720]
*
M
# }}}

# courier {{{
Jun 24 15:34:21 mail imapd: LOGIN FAILED, user=fakeemail@example.com, ip=[1.2.3.4]
280 1.2.3.4 4 10
M
Jun 24 15:34:21 mail imapd: LOGIN FAILED, user=fakeemail@example.com, ip=[2001:470:df49:2:9df9:4e98:31e1:1720]
280 2001:470:df49:2:9df9:4e98:31e1:1720 6 10
M
Jun 24 15:34:21 mail imapd: LOGIN FAILED, user=fakeemail@example.com, ip=[::ffff:121.226.61.81]
280 121.226.61.81 4 10
M
Jun 24 11:53:25 mail pop3d: LOGIN FAILED, user=britton, ip=[1.2.3.4]
280 1.2.3.4 4 10
M
Jun 24 11:53:25 mail pop3d: LOGIN FAILED, user=britton, ip=[2001:470:df49:2:9df9:4e98:31e1:1720]
280 2001:470:df49:2:9df9:4e98:31e1:1720 6 10
M
Jun 24 11:53:25 mail pop3d: LOGIN FAILED, user=britton, ip=[::ffff:121.226.61.81]
280 121.226.61.81 4 10
M
Nov 20 04:12:45 mail imapd-ssl[20815]: LOGIN FAILED, method=PLAIN, ip=[::ffff:177.19.165.26]
280 177.19.165.26 4 10
M
# }}}
# }}}

#### FTP {{{
FTP LOGIN FAILED FROM 6.6.6.0, XYZ
300 6.6.6.0 4 10
M
FTP LOGIN FAILED FROM 2001:db8::a11:beef:7ac0, XYZ
300 2001:db8::a11:beef:7ac0 6 10
M
foo.com (foo.com [6.6.6.0]) XYZ no such user XYZ
310 6.6.6.0 4 10
M
foo.com (foo.com [2001:db8::a11:beef:7ac0]) XYZ no such user XYZ
310 2001:db8::a11:beef:7ac0 6 10
M
(XYZ@6.6.6.0) [WARNING] Authentication failed for user XYZ
320 6.6.6.0 4 10
M
(XYZ@2001:db8::a11:beef:7ac0) [WARNING] Authentication failed for user XYZ
320 2001:db8::a11:beef:7ac0 6 10
M
XYZ FAIL LOGIN: Client "6.6.6.0"
330 6.6.6.0 4 10
M
XYZ FAIL LOGIN: Client "2001:db8::a11:beef:7ac0"
330 2001:db8::a11:beef:7ac0 6 10
M }}}

#### Cockpit {{{
pam_unix(cockpit:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=172.22.10.15 user=jeff
340 172.22.10.15 4 10
M
pam_unix(cockpit:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=2001:db8::a11:beef:7ac0 user=root
340 2001:db8::a11:beef:7ac0 6 10
M
pam_unix(cockpit:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=172.22.10.15
340 172.22.10.15 4 10
M
pam_unix(cockpit:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=2001:db8::a11:beef:7ac1
340 2001:db8::a11:beef:7ac1 6 10
M
pam_unix(cockpit:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=172.22.10.15  user=jeff
340 172.22.10.15 4 10
M
pam_unix(cockpit:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=2001:db8::a11:beef:7ac1  user=jeff
340 2001:db8::a11:beef:7ac1 6 10
M
# }}}

#### OpenVPN {{{
Sep 04 00:00:06 hostname openvpn[23718]: 54.183.149.10:34791 TLS Error: TLS handshake failed
400 54.183.149.10 4 10
M
Sep 04 00:00:06 hostname openvpn[23718]: [2001:db8::a11:beef:7ac0]:34791 TLS Error: TLS handshake failed
400 2001:db8::a11:beef:7ac0 6 10
M
# OpenVPN Portshare
2019-10-21T23:07:09+0200 [stdout#info] [OVPN 0] OUT: 'Mon Oct 21 21:07:09 2019 192.168.0.1:28288 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
410 192.168.0.1 4 10
M
# }}}

#### Web {{{
10.42.42.39 - "jeff" [19/Apr/1943:03:14:13 +0000] "GET /secret-base HTTP/1.1" 401 356 "EvilAgent/2.0"
350 10.42.42.39 4 10
M
10.42.42.40 - - [19/Apr/1943:03:14:10 +0000] "GET /wp-login.php HTTP/1.1" 404 1 "-" "Mozilla/5.0"
360 10.42.42.40 4 10
M
10.42.42.41 - - [19/Apr/1943:03:14:11 +0000] "GET /wp-admin.php HTTP/1" 401 - "-" "Mozilla/5.0"
350 10.42.42.41 4 10
M
10.42.42.42 - - [19/Apr/1943:03:14:12 +0000] "GET /wordress/wp-login.php HTTP/2.0" 404 2571 "-" "Mozilla/5.0" "extra-field" "more-data"
360 10.42.42.42 4 10
M
10.42.42.43 - - [19/Apr/1943:03:14:13 +0000] "GET /roundcube HTTP/1.1" 410 3
360 10.42.42.43 4 10
M
2001:db8::a11:beef:7aa0 - - [19/Apr/1943:03:14:14 +0000] "GET /roundcube HTTP/2.0" 403 0 "-" "Mozilla/4.0"
360 2001:db8::a11:beef:7aa0 6 10
M
10.42.42.44 - - [19/Apr/1943:03:14:15 +0000] "GET /wp-login.php HTTP/1.1" 404 56 "-"
360 10.42.42.44 4 10
M
2001:db8::a11:beef:7aa1 - - [19/Apr/1943:03:14:14 +0000] "GET /roundcube HTTP/2.0" 404 -
360 2001:db8::a11:beef:7aa1 6 10
M
10.42.42.45 - - [19/Apr/1943:03:14:17 +0000] "GET /roundcube/ HTTP/2.0" 410 - "-" "Mozilla/4.0"
360 10.42.42.45 4 10
M
1.2.3.4 - - [25/Dec/2024:20:36:18 +0200] "POST /webmail/?_task=login HTTP/2.0" 401 5456 "https://www.example.com/webmail/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1.1 Safari/605.1.15" (2.681)
350 1.2.3.4 4 10
M
1.2.3.4 - - [25/Dec/2024:20:12:51 +0200] "POST /?_task=login HTTP/2.0" 401 5449 "https://webmail.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1.1 Safari/605.1.15" (2.644)
350 1.2.3.4 4 10
M
# False positives for roundcube/mail {{{
1.2.3.4 - - [14/Dec/2024:19:26:59 +0200] "GET /legacy/cache/jsLanguage/EmailTemplates/en_us.js?v=wOT4aAGD9wl0AmTvsx-RxA HTTP/2.0" 404 20 "https://www.example.com/legacy/index.php?action=DetailView&module=EmailTemplates&record=78cc0f92-d2c6-673d-f4cd-675c2b2862f3&return_module=EmailTemplates&return_action=DetailView" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0"
*
M
1.2.3.4 - - [23/Dec/2024:16:28:38 +0200] "POST /legacy/index.php?entryPoint=emailTemplateData HTTP/2.0" 499 0 "https://www.example.com/legacy/index.php?action=WizardMarketing&module=Campaigns&return_module=Campaigns&return_action=WizardHome&return_id=443ce73a-98f0-a38d-cba6-67696337e5ee&campaign_id=443ce73a-98f0-a38d-cba6-67696337e5ee&jump=3&show_wizard_marketing=1&marketing_id=1e5a3b65-5d8a-a618-f327-6769633abade&record=1e5a3b65-5d8a-a618-f327-6769633abade&campaign_type=NewsLetter" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0" (0.058)
*
M
10.42.42.46 - - [17/Jun/2020:00:26:51 +0200] "GET /administrator/index.php?option=com_login HTTP/1.1" 404 286 "-" "Mozilla/5.0"
360 10.42.42.46 4 10
M
2001:db8::a11:b2ef:78f2 - - [19/Apr/1943:03:14:11 +0000] "POST /wordpress/wp-login.php HTTP/1.1" 200 781 "-" "Googlebot"
370 2001:db8::a11:b2ef:78f2 6 10
M
10.42.57.1 - - [19/Apr/1943:03:14:10 +0000] "POST /wp-login.php HTTP/1.1" 200 1056
370 10.42.57.1 4 10
M
2001:db8::a11:beef:7aa2 - - [19/Apr/1943:03:14:11 +0000] "POST /wordpress/wp-login.php HTTP/1.1" 200 781 "-" "Googlebot"
370 2001:db8::a11:beef:7aa2 6 10
M
192.68.11.1 - - [19/Apr/1943:03:14:11 +0000] "POST /wordpress/wp-login.php HTTP/1.1" 200 781 "-" "Googlebot"
370 192.68.11.1 4 10
M
192.68.11.1 - - [19/Apr/1943:03:14:12 +0000] "POST /wp/wp-login.php HTTP/1.1" 200 - "-" "Mozilla/5.0"
370 192.68.11.1 4 10
M
2001:db8::a11:beef:7aa3 - "admin" [19/Apr/1943:03:14:13 +0000] "GET /admin/system HTTP/1.1" 401 -
350 2001:db8::a11:beef:7aa3 6 10
M
127.1.2.3 - - [18/Jun/2020:16:05:21 +0200] "POST /typo3/?loginProvider=1433416747 HTTP/2.0" 200 3714 "-" "Mozilla/5.0" "-"
370 127.1.2.3 4 10
M
127.1.2.4 - - [18/Jun/2020:16:05:21 +0200] "POST /contao/login?_hash=tw9jzczttzj9twxzjztwx9twzjtwxjtzj9ztwdjzxwt%3D&redirect=https%3A%2F%2Fexample.org%2Fcontao HTTP/2.0" 200 654 "-" "Mozilla/5.0" "-"
370 127.1.2.4 4 10
M
1.2.3.4 - - [28/Dec/2022:20:45:56 +0200] "GET /LICENSE.txt HTTP/2.0" 444 0 "-" "curl/7.74.0" (0.000)
360 1.2.3.4 4 10
M
reverse mapping checking getaddrinfo for XYZ [6.6.6.0] XYZ POSSIBLE BREAK-IN ATTEMPT!
*
M
10.42.42.40 - - [19/Apr/1943:03:14:15 +0000] "GET / HTTP/1.1" 401 314 "-" "Mozilla/5.0"
350 10.42.42.40 4 10
M
2001:db8::a11:beef:7ac0 - - [19/Apr/1943:03:14:15 +0000] "GET / HTTP/2.0" 301 401 "-" "Mozilla/5.0"
*
M
10.42.42.42 - - [19/Apr/1943:03:14:15 +0000] "GET / HTTP/2.0" 301 401 314 "-" "Mozilla/5.0"
*
M
10.42.42.44 - [19/Apr/1943:03:14:15 +0000] "GET / HTTP/2.0" 301 401 314 "-" "Mozilla/5.0"
*
M
10.42.42.45 - - [19/Apr/1943:03:14:15 +0000] "GET wp-login.php HTTP/1.1" 200 "-" "Mozilla/5.0"
*
M
10.42.42.46 - - [19/Apr/1943:03:14:15 +0000] "GET /wp-login.php HTTP/1.1" 200 "-" "Mozilla/5.0"
*
M
10.42.42.47 - - [19/Apr/1943:03:14:15 +0000] "POST /wp-login.php HTTP/1.1" 302 200 "-" "Mozilla/5.0"
*
M
10.42.42.48 - - [19/Apr/1943:03:14:15 +0000] "GET /wp-login.php HTTP/1.1" 301 201 "-" "Mozilla/5.0"
*
M
2001:db8::a11:beef:7ac1 - - [19/Apr/1943:03:14:15 +0000] "POST /wp-login.php HTTP/1.1" 302 201 "-" "Mozilla/5.0"
*
M
10.42.42.49 - - [19/Apr/1943:03:14:15 +0000] "GET /wp-login.php HTTP/1.1" 302 200 "-" "Mozilla/5.0"
*
M
10.42.42.50 - - [19/Apr/1943:03:14:15 +0000] "GET roundcube HTTP/1.1" 200 "-" "Mozilla/4.0"
*
M
10.42.42.51 - - [19/Apr/1943:03:14:15 +0000] "GET /roundcube HTTP/1.1" 200 "-" "Mozilla/4.0"
*
M
10.42.42.52 - - [19/Apr/1943:03:14:15 +0000] "GET /roundcube HTTP/1.1" 301 200 "-" "Mozilla/4.0"
*
M
10.42.42.53 - - [19/Apr/1943:03:14:15 +0000] "GET /roundcube HTTP/1.1" 301 201 "-" "Mozilla/4.0" "extra-field" "more-data"
*
M
2001:db8::a11:beef:7ac2 - - [19/Apr/1943:03:14:15 +0000] "GET /roundcube/ HTTP/1.1" 200 "-" "Mozilla/4.0"
*
M
10.42.42.54 - - [19/Apr/1943:03:14:15 +0000] "GET /roundcube/ HTTP/1.1" 301 200 "-" "Mozilla/4.0"
*
M
10.42.42.55 - - [19/Apr/1943:03:14:15 +0000] "GET /roundcube/ HTTP/1.1" 301 201 "-" "Mozilla/4.0"
*
M
10.42.42.56 - - [19/Apr/1943:03:14:15 +0000] "GET /somewhere HTTP/1.1" 200 "https://example.com/wp-admin.php" "Mozilla/5.0"
*
M
# }}}
# generic 401 unauthorized
1.2.3.4 - - [24/Apr/2023:10:22:25 +0300] "POST /?_task=login HTTP/2.0" 401 5440 "https://webmail.some.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Safari/605.1.15" (3.213)
350 1.2.3.4 4 10
M
# super long lines
1.2.3.4 - - [27/Apr/2025:18:38:04 +0300] "GET /node/85/taxonomy/term/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/taxonomy/term/taxonomy/term/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/taxonomy/term/taxonomy/term/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/taxonomy/term/taxonomy/term/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/taxonomy/term/taxonomy/term/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/taxonomy/term/taxonomy/term/taxonomy/term/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%BC%CE%B1%CE%BA%CF%81%CE%BF%CF%83%CE%BA%CE%BF%CF%80%CE%B9%CE%BA%CE%AC_%CF%87%CE%B1%CF%81%CE%B1%CE%BA%CF%84%CE%B7%CF%81%CE%B9%CF%83%CF%84%CE%B9%CE%BA%CE%AC/%CE%BF_%CE%BC%CE%AF%CF%83%CF%87%CE%BF%CF%82/%CE%B1%CE%BC%CE%B1%CE%BD%CE%AF%CF%84%CE%B7%CF%82_%CE%BF_%CE%B5%CE%B1%CF%81%CE%B9%CE%BD%CF%8C%CF%82 HTTP/2.0" 444 0 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)" (0.000)
360 1.2.3.4 4 10
M
# }}}

#### Banner formats {{{
# Greedy SYSLOG_BANNER token (#93)
2018-06-26 13:22:02.108781500 Failed password for woold from 10.10.10.76 port 34718 ssh2
100 10.10.10.76 4 10
M

# macOS log format (#106)
2018-12-20 10:09:05.180218+0000 localhost sshd[67566]: Invalid user git from 185.52.1.9 port 35968
100 185.52.1.9 4 10
M

# Rsyslog 8 (#128)
2020-05-29T11:28:56.058908+02:00 bastion sshd[20974] error: PAM: Authentication error for illegal user plop from 10.11.12.13
100 10.11.12.13 4 10
M

# Busybox
Jun 20 02:18:39 vps auth.info sshd[13482]: Invalid user admin from 192.168.2.2
100 192.168.2.2 4 10
M
Jun 20 02:18:39 vps auth.info sshd[13482]: Invalid user admin from 2001:db8::a11:beef:7ac0
100 2001:db8::a11:beef:7ac0 6 10
M

# Busybox 'syslog -S' hides host names (#115)
May 9 11:11:17 sshd[30876]: Invalid user www from 139.59.34.17 port 51066
100 139.59.34.17 4 10
M

# FreeBSD syslogd with -v (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197854)
Jan  1 00:00:00 <10.5> foxtrot sshd[1234]: Invalid user admin from 1.2.3.4
100 1.2.3.4 4 10
M

# socklog banner, eg
2015-05-27T04:31:28.10040 auth.info: May 27 04:31:28 sshd[30993]: Invalid user admin from 1.2.3.4
100 1.2.3.4 4 10
M
# Some strip the redundant timestamp, eg
2015-05-27T04:31:28.10040 auth.info: sshd[30993]:  Invalid user admin from 1.2.3.4
100 1.2.3.4 4 10
M

# RFC 5424 banner
<35>1 2020-01-03T11:57:14.257387-05:00 1.2.3.4 sshd 86784 - - error: PAM: Authentication error for root from 1.2.3.4
100 1.2.3.4 4 10
M
# }}}

#### Gitea {{{
Mar 07 08:34:31 myhost gitea[15884]: 2019/03/07 08:34:31 [I] Failed authentication attempt for blabla from [::1]
500 ::1 6 10
M
Failed authentication attempt for blabla from 213.60.123.190
500 213.60.123.190 4 10
M
# Gitea 1.17.x FreeBSD
2023/01/01 15:33:04 ...ers/web/auth/auth.go:200:SignInPost() [I] [63b199a0] Failed authentication attempt for test from 192.168.1.2:13798: user does not exist [uid: 0, name: test, keyid: 0]
500 192.168.1.2 4 10
M
# Gitea 1.17 colored
[36m2023/01/01 17:25:12 [0m[32m...ers/web/auth/auth.go:200:[32mSignInPost()[0m [1;32m[I][0m [[93m63b1b3e8[0m] Failed authentication attempt for [1mtest[0m from [1m1.2.3.4:0[0m: [1muser does not exist [uid: 0, name: test, keyid: 0][0m
500 1.2.3.4 4 10
M
# }}}

#### BIND {{{
# BIND query denied
Jul 28 08:45:16 router1 named[135105]: client @0x7f13c4158c00 1.2.3.4#3074 (example.com): query (cache) example.com/RRSIG/IN' denied
120 1.2.3.4 4 10
M
# }}}

#### MSSQL {{{
2023-04-21 23:17:02.54 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 87.251.75.20]
600 87.251.75.20 4 10
M
2023-04-21 23:17:02.54 Logon       Login failed for user 'admin'. Reason: Could not find a login matching the name provided. [CLIENT: 80.66.76.21]
600 80.66.76.21 4 10
M
2023-05-01 15:32:57.55 Logon       Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. [CLIENT: 87.236.176.168]
600 87.236.176.168 4 10
M
2023-05-01 15:05:09.16 Logon       Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: 198.199.105.106]
600 198.199.105.106 4 10
M
# }}}

#### Proxmox VE {{{
May 04 23:45:19 deb12-pve pvedaemon[2352]: authentication failure; rhost=::ffff:192.0.2.74 user=tester@pve msg=Authentication failure
700 192.0.2.74 4 10
M
May 05 00:11:56 deb12-pve pvedaemon[2350]: authentication failure; rhost=2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd user=root@pam msg=Authentication failure
700 2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd 6 10
M
May 05 00:07:09 deb12-pve pvedaemon[2351]: authentication failure; rhost=::ffff:192.0.2.154 user=tester2@pam msg=no such user ('tester2@pam')
700 192.0.2.154 4 10
M
May 05 00:08:19 deb12-pve pvedaemon[2352]: authentication failure; rhost=::ffff:192.0.2.7 user=tester3@pve msg=no such user ('tester3@pve')
700 192.0.2.7 4 10
M
May 05 00:12:11 deb12-pve pvedaemon[2352]: authentication failure; rhost=2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd user=root@pve msg=no such user ('root@pve')
700 2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd 6 10
M
# }}}