Linux Terminal Magic!

I noticed my server was having some sporadic issues.  The hard drive was seemingly randomly being set to read only.  On top of that performance was significantly reduced.  I had to do something to sort out who what was going on and who was messing with the system.
I knew I could block any bad IP's I needed to using either IP tables or the hosts.deny file, but I didnt know what the IP's were.  After some digging on Google I found the authentication log file held this information (along with successful logins and other information). 
To look at this in a simi-meaningful way I used grep to filter out only the invalid login attempts:

sudo cat /var/log/auth.log | grep 'sshd.*Invalid'

 
This still got me the whole line of something along the lines of:

Oct 25 06:24:44 server sshd[22889]: Invalid user {%username%} from {%IP%}

 
However, passing the invalid login lines through sed can return only a partial string.  In this case I new I wanted only the IP which is everything after 'from ' on each line of the file.  Piping the previous command through sed gave me the following:

sudo cat /var/log/auth.log | grep 'sshd.*Invalid' | sed -n -e 's/^.*from //p'

This is a list of IP's that have had an authentication failure tracked in /var/log/auth.log.  Adding these to your hosts.deny file is trivial from this point.
Sources I found helpful:
http://www.debian-administration.org/article/87/Keeping_SSH_access_secure
http://unix.stackexchange.com/questions/24140/return-only-the-portion-of...

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Categories: