In the last blog we looked at the 2 level Sankey Diagram. I had promised to show you an update to it that made it much more useful, but I decided to save that until next time. The reason is that I thought of a common security problem that warrants discussion. Since this is also a security blog, I thought we can take a pause on the data science and talk security.
If you have a computer on the internet it's just a fact of life that your system is being pounded constantly by people trying to login. So, what accounts do they go after?
To solve this problem, we need a script to gather information.
Save it and run it as root.
OK. So, let's pull this into RStudio for some analysis. What we want to do is see what the most often used accounts are. Let's run the following script:
Run it. Now let's see what the 50 most popular accounts are:
So, what does this mean?
1) Do not allow root logins. Ever. Period.
2) Do not make an account based on a job function
3) Do not make an account based on a service name
4) Make sure all service accounts cannot be logged into
5) Do not make an account based on your first name
So, how can we check for active accounts on the system? First, let's make sure everything uses shadowed passwords:
Any problems here should be fixed. Next we can check which accounts are active:
If you see any services listed or simple names and the system is hooked up to the internet 24x7, you might want to look into it. If you use two factor authentication or keys, then you are also likely in good shape.
The real point of this was to show you how to check what accounts are getting hammered the hardest by people trying to get in.