Get failed sshd logons from Windows Eventlog Part 2

In answer to my question about a more efficient means of filtering by timestamp with FilterXPath, I’ve worked out how to do it “properly”; it’s not as fast as I was hoping, but it’s still taken the execution time down from 20 to 2 minutes so I can’t complain too much. I’ve also modded the script to deal with cases where Password Authentication is disabled and so you don’t get “Failed Password” events logged, just “Invalid User” or “No supported authentication methods available” instead.

The time value for comparison is in milliseconds, so 604800000 for 7 days, 86400000 for 24 hours, etc.

#sshd failed logon attempt finder
#Adam Beardwood 12/02/2010
#v1.0 - Initial Release
#v1.1 - Dramatically improved event gathering speed and added handling for non-password authentication failures
 
#Get all SSH events from the last 7 days from the Application eventlog (this may take some time)
$events = Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='sshd'] and TimeCreated[timediff(@SystemTime) <= 604800000]]]"
 
#Create array to store IPs
$ips = @()
 
foreach($event in $events){
	#Convert the event data to XML so we can access the EventData (Otherwise there's no way to access the event message contents with "unregistered" eventids)
	$event = [xml]$event.ToXml()
	#Thin the herd a little and only process useful messages
	if($event.Event.EventData.Data.Contains("Invalid user") -or $event.Event.EventData.Data.Contains("Failed Password") -or $event.Event.EventData.Data.Contains("No supported authentication methods available")){
 
	#Do regex search of the message data for IP addresses and if found, add them to the $ips array
	$ip = $event.Event.EventData.Data
	$regex = [regex]"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
	$ip = $($($regex.matches($ip)).Captures).Value
	$ips = $ips + $ip
	}
}
 
$date = get-date -Format yyyy-MM-dd
$file = new-item -type file "SSHLog-$date.txt" -force
 
add-content $file $($ips | select -uniq)

Get with the program, Adobe

Almost 2 months after Adobe released a patch for Acrobat Reader 9.3.0 to resolve the highly critical remote execution vulnerability, they’re still offering 9.3.0 as the only option for download:


So unless you run the Adobe Updater immediately after install (Which seems to have issues with UAC on my Windows 7 machine unless you explicitly launch Reader as an Administrator), or make the effort to find the patch to 9.3.1, your machine is going to be at risk every time you open a PDF.

It’s not the first time they’ve done it, either.