Advanced Search

Return to Snippet

Revision: 7633
at August 11, 2008 05:02 by scarfboy
Updated Code 
# Amount per source IP:
cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 1 | rev | sort | uniq -c | sort -n

# Amount per day:
cat /var/log/sshd/* | grep 'Invalid' | tr -s ' ' | cut -d ' ' -f 1-2 | sort | uniq -c

# The usernames they try:
cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 3| rev | sort | uniq -c | sort -r -n | less


#The source IPs of accepted logins (to look for things not you)
egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
   sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq -c | sort -n

# Same IP list, but with hostnames instead of counts 
# (assuming 'host' is your reverse lookup utility)
egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
   sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq | xargs -n 1 host

Revision: 7632
at August 2, 2008 12:50 by scarfboy
Initial Code 
# Amount per source IP:
cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 1 | rev | sort | uniq -c | sort -n

# Amount per day:
cat /var/log/sshd/* | grep 'Invalid' | tr -s ' ' | cut -d ' ' -f 1-2 | sort | uniq -c

# The usernames they try:
cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 3| rev | sort | uniq -c | sort -r -n | less


#The source IPs of accepted logins (to look for things not you)
egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
   sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq -c | sort -n

# Same IP list, but with hostnames instead of counts
egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
   sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq | xargs -n 1 host
Initial URL 

                                

                                                            

                                    

                                        

                                        Initial Description
                                        

                                    

                                    
Assumes logs are in /var/log/sshd/* and makes a few text format assumptions that probably make this specific to OpenSSH.

Simple, but more than you can see from a quick less.

                                

                                                            

                                    

                                        

                                        Initial Title
                                        

                                    

                                    
bash lines for simple statistics on SSH break-in attempts

                                

                                                            

                                    

                                        

                                        Initial Tags
                                        

                                    

                                    
Bash, ssh

                                

                                                            

                                    

                                        

                                        Initial Language
                                        

                                    

                                    
Bash