Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
grep IP addresses from auth logs to see attempted ssh attempts into your box w/ invalid creds {ubuntu}
#search for invalid logon attempts, pull out IP, remove dupes, sort...
$ grep -rhi 'invalid' /var/log/auth.log* | awk '{print $10}' | uniq | sort > ~/ips.txt
#look em up
$ for i in `cat ~/ips.txt`; do @nslookup $i 2>/dev/null | grep Name | tail -n 1 | cut -d " " -f 3; done > ~/who.txt
# :-) #
$ do moar things...
@ppazos

This comment has been minimized.

Copy link

@ppazos ppazos commented Oct 23, 2018

@gfoss this also includes

exceeded
[preauth]

on the ips.txt

is there a way to specify a regex to get just IPs?

another thing is the duplicates, not sure if in a sh duplicates can be checked though.

@ppazos

This comment has been minimized.

Copy link

@ppazos ppazos commented Oct 23, 2018

@gfloss the second command just creates an empty file, something might not be right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment