Test environment: Ubuntu server 12.04
View logon failures in system logs
Grep "Failed password for root"/var/log/auth * | awk '{print $11}' | sort | uniq-c | sort-Nr | more
Script explanation:
Grep "Failed password for root"/var/log/auth * |
# Retrieve all records of root logon failures in files starting with auth
Awk '{print $11}' |
# Retrieve the IP address (127.0.0.1)
Sort |
# Sorting
Uniq-c |
# Calculate the number of occurrences of each record
Sort-Nr |
# Sort by number of occurrences
More
The preceding command returns a result similar to the following:
647 117.21.208.26
153 93.62.48.179
74 219.153.1.229
44 207.106.176.182
13 210.107.122.210
9 192.168.119.59
6 61.147.70.110
2 192.168.112.11
The first is the number of statistics, followed by the Source IP
Use: grep "Failed password for root"/var/log/auth. log | grep 61.147
View the details of the six records 61.147.70.110
Flexible Use of grep