Skip to content

sshd (logs)

Filtering SSHD Logs from commandline

I will never ever send my logs to some remote server and give other people access to my logs as so many do today, the clouds has fucked up the cyberworld pretty much, why don't read logs as a pro instead?

In this page I will try cover the most commands that I use and that will give you a better overview over your websites traffic.

head -n -250 /var/log/auth.log 

Simple analysis of log

awk "/.*Failed password.*/ { print $1 }" /var/log/auth.log                                                                                                                                                 
grep "Failed password" /var/log/auth.log\ 
    |wc -l          
grep "password" /var/log/auth.log \ 
    |grep -v Failed \ 
    |grep -v Invalid                                                                

View all log files

ls /var/log/auth.log* -lht                                                                                                        

Summarize information simply

cat  /var/log/auth.log\ 
    |grep "Failed password"\ 
    |head -1 \ 
    |awk '{while($i){print i, $i;i++}}'        

Column 11 is IP and column 9 is the user name the attacker attempted.

cat  /var/log/auth.log\ 
    |grep "Failed password"\ 
    |grep invalid \ 
    |head -1 \ 
    |awk '{while($i){print i, $i;i++}}'                         

Put the log files together and unzip them

mkdir authlog;cp /var/log/auth.log* authlog/;cd authlog;gunzip auth.log.*.gz

Statistics of attacker IP

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.* \ 
    |wc -l

Sort by number of attacks

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.* \ 
    |sort -k2 -rn \ 
    |head

Save to file

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.* \ 
    |sort -k2 -rn > ip.log

Look at the just saved one ip.log Top 10 items in the document

head -10 ip.log \ 
    |awk '{print $1" ";system("curl http://freeapi.ipip.net/"$1);print("\n")}'

The user name the attacker attempted

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(user in users){print user, users[user]}}' /var/log/auth.* \ 
    |sort -k2 -rn \ 
    |wc -l

View the number of items

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(user in users){print user, users[user]}}' /var/log/auth.* \ 
    |sort -k2 -rn \ 
    |head

  • Comments are closed on this article!

Last update: December 4, 2022 20:32:48