I mentioned it earlier, so I thought I’d share. After the fold is my shell script, called failed which I used to use to see the ssh brute force attempts on my server. Since I now do default deny on iptables, it doesn’t see much use.
Note this is for Debian based systems, to make it work on Redhat based systems, change auth.log to secure.log (or at least that’s what I remember it being).
sample output:
Failed Invalid User Attempts
Jan 26 15:57:40 213.157.57.130 a
Jan 26 15:57:44 213.157.57.130 lele
Jan 26 15:57:46 213.157.57.130 mysqladmin
Jan 26 16:03:13 213.157.57.130 ucpss
Jan 26 17:18:23 95.132.46.20 admin
Jan 26 17:18:24 95.132.46.20 ubnt
Jan 26 17:18:25 95.132.46.20 support
Jan 26 17:18:26 95.132.46.20 userFailed Valid User Attempts
Jan 26 08:51:52 103.246.246.65 root
Jan 26 08:51:54 103.246.246.65 root
Jan 26 08:51:56 103.246.246.65 root
Jan 26 08:51:58 103.246.246.65 root
Jan 26 08:52:00 103.246.246.65 root
Jan 26 08:52:03 103.246.246.65 root
Jan 26 08:52:05 103.246.246.65 root
Here is the script;
#! /bin/sh
# checks for /var/log/auth.log for login failures.
# version 0.2
# chrisj@rattis.net# prints failed invalid users
echo “Failed Invalid User Attempts”
grep “Failed” /var/log/auth.log | grep -i ‘invalid’ | grep -v ‘USERNAME YOU WANT TO NOT SEE’ | awk ‘{print $1,$2,$3,$13,$11}’ | sort -uecho ‘ ‘
#prints failed vailid users, except for me.
echo “Failed Valid User Attempts”
grep “Failed” /var/log/auth.log | grep -vi ‘invalid’ | grep -v ‘YOUR USERNAME, IF YOU DO NOT WANT TO SEE IT’| awk ‘{print $1,$2,$3,$11,$9}’ | sort -u
echo ‘ ‘