Skip to content

ssh-logs

Read SSH logs as a PRO from command line..

head -n -250 /var/log/auth.log 

Simple analysis of log

awk "/.*Failed password.*/ { print $1 }" /var/log/auth.log                                                                                                                                                 
grep "Failed password" /var/log/auth.log | wc -l          
grep "password" /var/log/auth.log | grep -v Failed | grep -v Invalid                                                                

View all log files

ls /var/log/auth.log* -lht                                                                                                        

Summarize information simply

cat  /var/log/auth.log| grep "Failed password"|head -1 | awk '{while($i){print i, $i;i++}}'        

Column 11 is IP and column 9 is the user name the attacker attempted.

cat  /var/log/auth.log| grep "Failed password"| grep invalid |head -1 | awk '{while($i){print i, $i;i++}}'                         

Put the log files together and unzip them

mkdir authlog;cp /var/log/auth.log* authlog/;cd authlog;gunzip auth.log.*.gz

Statistics of attacker IP

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.* | wc -l

Sort by number of attacks

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.* | sort -k2 -rn | head

Save to file

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.* | sort -k2 -rn > ip.log

Look at the just saved one ip.log Top 10 items in the document

head -10 ip.log | awk '{print \(1" ";system("curl http://freeapi.ipip.net/"\)1);print("n")}'

### The user name the attacker attempted

```sh
awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(user in users){print user, users[user]}}' /var/log/auth.* | sort -k2 -rn |wc -l

View the number of items

awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(user in users){print user, users[user]}}' /var/log/auth.* | sort -k2 -rn | head

Last update: June 26, 2022
Created: June 18, 2022