Forked from mshafiee/Examining ssh login requests on Ubuntu
Created
October 12, 2018 03:36
-
-
Save toklok/ac6d44667f98b4017d7510b9d16d46d4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Failed attempts by username: | |
grep "Invalid user " /var/log/auth.log | cut -d' ' -f8 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100 | |
IP address of each attempt: | |
grep "Invalid user " /var/log/auth.log | cut -d' ' -f10 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100 | |
Filter for brute-force interactive SSH logins: | |
grep sshd.\*Failed /var/log/auth.log | less | |
Look for failed connections (i.e. no login attempted, could be a port scanner, etc.): | |
grep sshd.*Did /var/log/auth.log | less | |
Filter the authentication log file for failed authentications and count the attempts (lines in the log file): | |
grep -i fail /var/log/auth.log | wc -l | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment