All login attempts, successful or not, are in /var/log/auth.log file. To find from which IP addresses attempts are coming, and only for valid usernames, execute following line:
$ cat /var/log/auth.log|grep -v "invalid"|grep "Failed password"|awk '{ print $(NF-3) }'|sort|uniq
grep -v "invalid" - -v switch reverts filter then only lines without word "invalid" are included
grep "Failed password" - only lines with words "Failed password" are included
awk '{ print $(NF-3) }' - Take 3rd arg from last
sort
and print only unique IP addresses.
Also, if you want to find on which usernames attacks are targeted change awk part into: awk '{ print $(NF-5) }'
No comments:
Post a Comment