Parsing secure/auth logs for failed SSH attempts - ~$ sudo apt-get

Parsing secure/auth logs for failed SSH attempts

by sudo on Apr.01, 2009, under Linux

grep "Failed password for invalid user" /var/log/secure | awk '{ print $13 }' | sort | uniq -c | sort -rn

These will only parse for failed users other than root. Will display which IPs failed authentication and how many times in descending order.

The following will work for root.

grep "Failed password for root" /var/log/secure | awk '{ print $11 }' | sort | uniq -c | sort -rn

And for valid users.

grep "Failed password for " /var/log/secure | egrep -v "invalid|root" | awk '{ print $11 }' | sort | uniq -c | sort -rn

Leave a Reply

RSS feed for this post (comments) · TrackBack URI

Howdy. Welcome to ~$ sudo apt-get!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. See ya around!
Recent Posts
Browse by tags
lsof linux xen console

Categories
- Apache
- Linux
- Mail
- mySQL
- PHP
- Plesk
- Sendmail
- Server

Meta
- Log in
- Valid XHTML

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...