As I am letting my personal computer always on, as a homelinux server, I decided to check if someone is trying to breaking in with SSH brute force attacks.
First I did a grep for fail at the /var/log/auth.log. (grep -i /var/log/auth.log)
And I got lots of lines with the string "fail". With [grep -i /var/log/auth.log | wc -l] I figured out that were 1164 fail entries at auth.log
With an [grep -i fail auth.log | cut -d " " -f 6 | sort | uniq] I checked that were two kind of failed attempts:
Failed
pam_unix(sshd:auth):
So I wrote the following line to check with which users they were attempting to log:
grep Failed auth.log | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; grep $line auth.log | wc -l; done | sort -n -k 2
Here, the field position (the number 11 at the above command lines [-f 11]) may change in some systems. At my desktop at work, the username came at the position 9.
Here are the "top ten":
root 2922
user 2884
test 30
oracle 26
admin 22
mythtv 12
user1 6
teste 4
silentios 4
setup 4
Iauch! 2922 attempts! Luckily I always change my SSH config to not permit root logons.
At the /etc/ssh/sshd_config, PermitRootLogin no
And a good habit is to add a last AllowUsers line, followed by the usernames enabled to log trough SSH.
As most unixes do log rotation with gzip, the line above can be changed to zgrep all auth logs as follows:
zgrep Failed auth.log* | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; zgrep Failed auth.log* | grep $line | wc -l; done | sort -n -k 2
This particular line took me around 4 minutes running. After that, it came with a list with 676 diferent users which attemped to log with ssh in my host.
Here are the top 50:
w 9707
u 9707
t 9707
sshd 9707
ssh 9707
s 9707
r 9707
p 9707
o 9707
m 9707
log 9707
l 9707
k 9707
i 9707
h 9707
g 9707
f 9707
ed 9707
e 9707
desktop 9707
d 9707
am 9707
a 9707
v 9706
user 9706
n 9706
id 9706
z 8419
c 6818
root 2322
y 840
b 677
j 381
test 319
adm 268
admin 253
at 222
x 189
it 167
q 134
ftp 124
mail 113
web 102
postgres 79
mysql 78
mini 74
suporte 71
guest 67
pop 65
oracle 62
First I did a grep for fail at the /var/log/auth.log. (grep -i /var/log/auth.log)
And I got lots of lines with the string "fail". With [grep -i /var/log/auth.log | wc -l] I figured out that were 1164 fail entries at auth.log
With an [grep -i fail auth.log | cut -d " " -f 6 | sort | uniq] I checked that were two kind of failed attempts:
Failed
pam_unix(sshd:auth):
So I wrote the following line to check with which users they were attempting to log:
grep Failed auth.log | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; grep $line auth.log | wc -l; done | sort -n -k 2
Here, the field position (the number 11 at the above command lines [-f 11]) may change in some systems. At my desktop at work, the username came at the position 9.
Here are the "top ten":
root 2922
user 2884
test 30
oracle 26
admin 22
mythtv 12
user1 6
teste 4
silentios 4
setup 4
Iauch! 2922 attempts! Luckily I always change my SSH config to not permit root logons.
At the /etc/ssh/sshd_config, PermitRootLogin no
And a good habit is to add a last AllowUsers line, followed by the usernames enabled to log trough SSH.
As most unixes do log rotation with gzip, the line above can be changed to zgrep all auth logs as follows:
zgrep Failed auth.log* | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; zgrep Failed auth.log* | grep $line | wc -l; done | sort -n -k 2
This particular line took me around 4 minutes running. After that, it came with a list with 676 diferent users which attemped to log with ssh in my host.
Here are the top 50:
w 9707
u 9707
t 9707
sshd 9707
ssh 9707
s 9707
r 9707
p 9707
o 9707
m 9707
log 9707
l 9707
k 9707
i 9707
h 9707
g 9707
f 9707
ed 9707
e 9707
desktop 9707
d 9707
am 9707
a 9707
v 9706
user 9706
n 9706
id 9706
z 8419
c 6818
root 2322
y 840
b 677
j 381
test 319
adm 268
admin 253
at 222
x 189
it 167
q 134
ftp 124
mail 113
web 102
postgres 79
mysql 78
mini 74
suporte 71
guest 67
pop 65
oracle 62
Some useful shell scripts here. Am looking to log and graph the attacks on my box for display.
ReplyDeletethanks