After my little experiment wit clay stop motion animation (link), I brought the camera home and showed the process to my kids... My older son wanted to give it a try... And here is his first movie.
As I am letting my personal computer always on, as a homelinux server, I decided to check if someone is trying to breaking in with SSH brute force attacks.
First I did a grep for fail at the /var/log/auth.log. (grep -i /var/log/auth.log)
And I got lots of lines with the string "fail". With [grep -i /var/log/auth.log | wc -l] I figured out that were 1164 fail entries at auth.log
With an [grep -i fail auth.log | cut -d " " -f 6 | sort | uniq] I checked that were two kind of failed attempts:
Failed
pam_unix(sshd:auth):
So I wrote the following line to check with which users they were attempting to log:
grep Failed auth.log | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; grep $line auth.log | wc -l; done | sort -n -k 2
Here, the field position (the number 11 at the above command lines [-f 11]) may change in some systems. At my desktop at work, the username came at the position 9.
Here are the "top ten":
root 2922
user 2884
…
First I did a grep for fail at the /var/log/auth.log. (grep -i /var/log/auth.log)
And I got lots of lines with the string "fail". With [grep -i /var/log/auth.log | wc -l] I figured out that were 1164 fail entries at auth.log
With an [grep -i fail auth.log | cut -d " " -f 6 | sort | uniq] I checked that were two kind of failed attempts:
Failed
pam_unix(sshd:auth):
So I wrote the following line to check with which users they were attempting to log:
grep Failed auth.log | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; grep $line auth.log | wc -l; done | sort -n -k 2
Here, the field position (the number 11 at the above command lines [-f 11]) may change in some systems. At my desktop at work, the username came at the position 9.
Here are the "top ten":
root 2922
user 2884
…
Comments
Post a Comment