Watch /var/log/messages for SSH intruders - Programming One Liner 17

Monitoring /var/log/messages

date >> /user/security/ssh-intruders.log ; cat /var/log/messages* | grep -i "sshd.*authentication failure" | sort | awk '{FS="rhost="; print $2}' | awk '{FS="user="; print $1}' | grep ".*\..*\." | grep -v "knownhost.com" | grep -v "knownhost2.com" | sort | uniq | while read i; do counter=`grep -i "$i" /var/log/messages* | wc -l` ; echo "$counter attempts by $i"; done >> /user/security/ssh-intruders.log ; cat /user/security/ssh-intruders.log

This programming one liner allows you to query /var/log/messages files for break-in attempts. Prints the total count of attempts by each intruder.

The following output (sample) is produced

3 attempts by 163.27.207.193
2 attempts by 84.243.73.25
14 attempts by ali.2kads.cz
17 attempts by c66.110.175-222.clta.globetrotter.net
9 attempts by pro-177.im.cju.edu.tw
9 attempts by pro-177.im.cju.edu.tw

Programming "One Liner" lookup terms:

cat awk sed sort uniq wc date

_{USE THIS PROGRAMMING ONE LINER AT OWN RISK AS AUTHOR CLAIMS NO RESPONSIBILITY.
If you would like more information on any of the commands, please feel free to contact me with your programming questions. You can also read other posts on programming code, lookup the programming terms displayed above or visit my network security blog. Other external programming blogs on Technorati and programming blogs on Google.}