/ Published in: Bash
Assumes logs are in /var/log/sshd/* and makes a few text format assumptions that probably make this specific to OpenSSH.
Simple, but more than you can see from a quick less.
Simple, but more than you can see from a quick less.
Expand |
Embed | Plain Text
Copy this code and paste it in your HTML
# Amount per source IP: cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 1 | rev | sort | uniq -c | sort -n # Amount per day: cat /var/log/sshd/* | grep 'Invalid' | tr -s ' ' | cut -d ' ' -f 1-2 | sort | uniq -c # The usernames they try: cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 3| rev | sort | uniq -c | sort -r -n | less #The source IPs of accepted logins (to look for things not you) egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \ sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq -c | sort -n # Same IP list, but with hostnames instead of counts # (assuming 'host' is your reverse lookup utility) egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \ sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq | xargs -n 1 host