Advanced Search

bash lines for simple statistics on SSH break-in attempts

/ Published in: Bash
Save to your folder(s)
Assumes logs are in /var/log/sshd/* and makes a few text format assumptions that probably make this specific to OpenSSH.

Simple, but more than you can see from a quick less.

Expand | Embed | Plain Text

Copy this code and paste it in your HTML 
  1. # Amount per source IP:
  2. cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 1 | rev | sort | uniq -c | sort -n
  3.  
  4. # Amount per day:
  5. cat /var/log/sshd/* | grep 'Invalid' | tr -s ' ' | cut -d ' ' -f 1-2 | sort | uniq -c
  6.  
  7. # The usernames they try:
  8. cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 3| rev | sort | uniq -c | sort -r -n | less
  9.  
  10.  
  11. #The source IPs of accepted logins (to look for things not you)
  12. egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
  13.    sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq -c | sort -n
  14.  
  15. # Same IP list, but with hostnames instead of counts 
  16. # (assuming 'host' is your reverse lookup utility)
  17. egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
  18.    sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq | xargs -n 1 host

Report this snippet


Comments

RSS Icon Subscribe to comments

You need to login to post a comment.