[H-GEN] Re: Blocking SSH exploits

Greg Black gjb at gbch.net
Wed Aug 25 08:54:21 EDT 2004 

On 2004-08-25, Jay wrote:
> On Wed, 25 Aug 2004 15:50, Troy Piggins wrote:
> > > From: Jay <johannes at paradise.net.nz>
> > >
> > > Same here since July 26 using names (root, user, test, admin, guest) and
> > > originating from:
> > >
> > > 61.109.156.5
> > > 61.151.243.61
> > > 61.166.6.60
> > > [...]
> > >
> > How do you get this in this format?  Do you have scripts that filter
> > out the IPs, or did you just edit manually for this email?
> 
> cd /var/log, or wherever your log files live and run the short bash script
> 
> # <-- cut below -->
> #!/bin/sh
> 
> grep -w Failed secure|sort -r > failed
> zcat secure.01.gz|grep -w Failed|sort -r >> failed
> zcat secure.02.gz|grep -w Failed|sort -r >> failed
> zcat secure.03.gz|grep -w Failed|sort -r >> failed
> zcat secure.04.gz|grep -w Failed|sort -r >> failed
> 
> awk '
> BEGIN {
>         s0="";
> }
> {
>         p1 = match($0,"from")+5;
>         split(substr($0, p1), addr, " ");
>         if (s0 != addr[1])
>                 print(addr[1]);
>         s0 = addr[1];
> }
> ' failed|sort -n
> rm failed
> # <-- cut above -->
> 
> Above procedure is pretty basic, but I am sure there are more 
> elegant/efficient ways to do this job.
> 
> I am sure Greg would come up with a sophisticated one liner.

I don't think it's sophisticated, but it's much simpler.  You'd
have to adjust for file names and log file formats, of course.
You only need to know that the IP address is always in field 12
in my logs, YMMV.  And note that I use white space to make it
easier to read.

( cat auth ; zcat auth.*.gz ) | grep 'Failed pass' | awk '{print $12}' | sort -nu

Note that using cat (and zcat) like this is what they are
intended for -- you can pipe all the files into your selection
tool, which is only run once, and avoid the temporary file.

There's a simpler but slower version, although I wouldn't use it
because grep does the matching much faster than awk:

( cat auth ; zcat auth.*.gz ) | awk '/Failed pass/ {print $12}' | sort -nu

Although you'd expect that cutting out a process might speed
things up, on my box it more than doubles the run time when you
use the second version.

Cheers, Greg

More information about the General mailing list