Posted By

scarfboy on 08/02/08


Tagged

Bash ssh


Versions (?)

Who likes this?

4 people have marked this snippet as a favorite

Roshambo
jamesming
esritter
Abiotic


bash lines for simple statistics on SSH break-in attempts


 / Published in: Bash
 

Assumes logs are in /var/log/sshd/* and makes a few text format assumptions that probably make this specific to OpenSSH.

Simple, but more than you can see from a quick less.

  1. # Amount per source IP:
  2. cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 1 | rev | sort | uniq -c | sort -n
  3.  
  4. # Amount per day:
  5. cat /var/log/sshd/* | grep 'Invalid' | tr -s ' ' | cut -d ' ' -f 1-2 | sort | uniq -c
  6.  
  7. # The usernames they try:
  8. cat /var/log/sshd/* | grep 'Invalid'|rev|cut -d ' ' -f 3| rev | sort | uniq -c | sort -r -n | less
  9.  
  10.  
  11. #The source IPs of accepted logins (to look for things not you)
  12. egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
  13. sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq -c | sort -n
  14.  
  15. # Same IP list, but with hostnames instead of counts
  16. # (assuming 'host' is your reverse lookup utility)
  17. egrep 'Accepted (keyboard|publi)[^\ ]+ for' /var/log/sshd/* | \
  18. sed -r 's/(.*from[\ ])([0-9.]+)([\ ]port.*)/\2'/ | sort | uniq | xargs -n 1 host

Report this snippet  

You need to login to post a comment.