Author Topic: Linux Logs + grep (Read 1354 times) Tweet Share

excal · « **on:** April 20, 2008, 04:04:19 am »

Ironic I should be asking for help, eh?

Anyway, a call out to all the Linux nuts on this forum - my webserver (http://mudki.ps / http://symposia.voodooed.net) been hit quite a lot in terms of SSH dictionary attacks as of late. They all seem to be coming from similar IP blocks, so I had a quick look...fucking SOUTH KOREANS. /rant

I've pulled this stuff out of the auth.log, piping it through grep: 'sshd' and 'Failed' just to get rid of all the su/crontab crap. I'm just wondering if there's any way to grab IPs + a count of them.

Code: [Select]

Apr 19 09:43:02 clarent sshd[18446]: Failed password for root from 218.232.104.223 port 34932 ssh2
Apr 19 09:43:06 clarent sshd[18448]: Failed password for root from 218.232.104.223 port 35330 ssh2
Apr 19 09:43:09 clarent sshd[18450]: Failed password for root from 218.232.104.223 port 35840 ssh2
Apr 19 09:43:13 clarent sshd[18452]: Failed password for root from 218.232.104.223 port 36241 ssh2
Apr 19 09:43:17 clarent sshd[18454]: Failed password for root from 218.232.104.223 port 36636 ssh2
Apr 19 09:43:20 clarent sshd[18456]: Failed password for root from 218.232.104.223 port 36963 ssh2
Apr 19 09:43:24 clarent sshd[18458]: Failed password for root from 218.232.104.223 port 37282 ssh2
Apr 19 09:43:27 clarent sshd[18460]: Failed password for root from 218.232.104.223 port 37614 ssh2
Apr 19 09:43:31 clarent sshd[18462]: Failed password for root from 218.232.104.223 port 37902 ssh2
Apr 19 09:43:35 clarent sshd[18464]: Failed password for root from 218.232.104.223 port 38332 ssh2
Apr 19 09:43:38 clarent sshd[18466]: Failed password for root from 218.232.104.223 port 38664 ssh2
Apr 19 12:21:58 clarent sshd[21482]: Failed password for invalid user admin from 213.195.94.213 port 58746 ssh2
Apr 19 12:22:03 clarent sshd[21484]: Failed password for invalid user t1na from 213.195.94.213 port 59290 ssh2
Apr 19 12:22:08 clarent sshd[21486]: Failed password for invalid user t1na from 213.195.94.213 port 59730 ssh2
Apr 19 12:22:13 clarent sshd[21488]: Failed password for invalid user logic from 213.195.94.213 port 60247 ssh2
Apr 19 12:22:18 clarent sshd[21490]: Failed password for invalid user diablo from 213.195.94.213 port 60721 ssh2
Apr 19 12:22:23 clarent sshd[21492]: Failed password for invalid user b1ablo from 213.195.94.213 port 32982 ssh2
Apr 19 12:22:28 clarent sshd[21494]: Failed password for invalid user paradise from 213.195.94.213 port 33458 ssh2
Apr 19 12:22:33 clarent sshd[21496]: Failed password for invalid user paradisse from 213.195.94.213 port 33904 ssh2
Apr 19 12:22:38 clarent sshd[21498]: Failed password for invalid user baggio from 213.195.94.213 port 34351 ssh2
Apr 19 12:22:43 clarent sshd[21500]: Failed password for invalid user roberto from 213.195.94.213 port 34896 ssh2
Apr 19 12:22:48 clarent sshd[21502]: Failed password for invalid user kim from 213.195.94.213 port 35391 ssh2
Apr 19 12:22:53 clarent sshd[21504]: Failed password for invalid user space from 213.195.94.213 port 35835 ssh2
Apr 19 12:22:58 clarent sshd[21506]: Failed password for invalid user globe from 213.195.94.213 port 36371 ssh2
Apr 19 12:23:03 clarent sshd[21508]: Failed password for invalid user oscar from 213.195.94.213 port 36842 ssh2
Apr 19 12:23:08 clarent sshd[21510]: Failed password for invalid user simbol from 213.195.94.213 port 37322 ssh2
Apr 19 12:23:14 clarent sshd[21512]: Failed password for invalid user addicted from 213.195.94.213 port 37835 ssh2
Apr 19 12:23:19 clarent sshd[21514]: Failed password for invalid user red from 213.195.94.213 port 38371 ssh2
Apr 19 12:23:25 clarent sshd[21516]: Failed password for invalid user pink from 213.195.94.213 port 38856 ssh2
Apr 19 12:23:30 clarent sshd[21518]: Failed password for invalid user blue from 213.195.94.213 port 39404 ssh2
Apr 19 12:23:35 clarent sshd[21520]: Failed password for root from 213.195.94.213 port 39874 ssh2
Apr 19 12:23:40 clarent sshd[21522]: Failed password for postgres from 213.195.94.213 port 40341 ssh2
Apr 19 12:23:45 clarent sshd[21524]: Failed password for invalid user accept from 213.195.94.213 port 40852 ssh2
Apr 19 12:23:50 clarent sshd[21526]: Failed password for invalid user leo from 213.195.94.213 port 41348 ssh2
Apr 19 12:23:55 clarent sshd[21528]: Failed password for invalid user zeppelin from 213.195.94.213 port 41821 ssh2
Apr 19 12:24:00 clarent sshd[21530]: Failed password for invalid user hacker from 213.195.94.213 port 42329 ssh2

mark_alec · « **Reply #1 on:** April 20, 2008, 11:42:50 am »

Look at `awk`. You probably also want to install http://www.fail2ban.org/wiki/index.php/Main_Page or http://denyhosts.sourceforge.net/

Search the forums now!

We have moved!

Author Topic: Linux Logs + grep (Read 1354 times) Tweet Share

excal

Linux Logs + grep

mark_alec

Re: Linux Logs + grep

Recent Posts

User:
Password: