Sunday, October 30, 2005

Watch /var/log/messages for SSH intruders - Programming One Liner 17

Monitoring /var/log/messages


date >> /user/security/ssh-intruders.log ; cat /var/log/messages* | grep -i "sshd.*authentication failure" | sort | awk '{FS="rhost="; print $2}' | awk '{FS="user="; print $1}' | grep ".*\..*\." | grep -v "knownhost.com" | grep -v "knownhost2.com" | sort | uniq | while read i; do counter=`grep -i "$i" /var/log/messages* | wc -l` ; echo "$counter attempts by $i"; done >> /user/security/ssh-intruders.log ; cat /user/security/ssh-intruders.log


This programming one liner allows you to query /var/log/messages files for break-in attempts. Prints the total count of attempts by each intruder.


The following output (sample) is produced


3 attempts by 163.27.207.193
2 attempts by 84.243.73.25
14 attempts by ali.2kads.cz
17 attempts by c66.110.175-222.clta.globetrotter.net
9 attempts by pro-177.im.cju.edu.tw
9 attempts by pro-177.im.cju.edu.tw


Programming "One Liner" lookup terms:
cat awk sed sort uniq wc date

USE THIS PROGRAMMING ONE LINER AT OWN RISK AS AUTHOR CLAIMS NO RESPONSIBILITY.
If you would like more information on any of the commands, please feel free to contact me with your . You can also read other posts on programming code, lookup the programming terms displayed above or visit my network security blog. Other external programming blogs on Technorati and programming blogs on Google.

4 comments:

Anonymous said...

I am learning from you. Thank you!
This 1-line program is the good start for me ... :-)

Unknown said...

Nice one :-)

//Jadu
http://unstableme.blogspot.com/

Gold Guide for World of Warcraft said...

good post :)

rustic living room furniture said...

Beautifully done! Thanks for sharing how you did it. So lovely I'm sure your guest will love it. My personal favorite is the addition of the ornaments. Thanks for posting.

Susan Graham