Saucepan

User Tools

Site Tools

Trace: view_attacklog
networking:linux:view_attacklog

View Attacklog

This is a script for viewing who has tried and failed to SSH into your box. 

#!/bin/bash
# Created by jbstafford.co.uk
# By default, we go with option -i
IP_COL=11
USR_COL=9
COL=${IP_COL}

DATE=`date +%Y-%m-%d`
LOG_DIR=/var/log_history/ssh
LOG_FILE=${LOG_DIR}/attack_${DATE}.log
TMP_FILE=/tmp/attack_${DATE}_${RANDOM}.log

# Read in any arguments
while getopts crushi name
do
        case $name in
          i)iopt=1;;
          r)ropt=1;;
          u)uopt=1;;
          h)hopt=1;;
          c)copt=1;;
          s)sopt=1;;
          *)echo "Invalid argument."; echo "Try $0 -h";exit 1;;
        esac
done

CHECK=$iopt+$uopt+$copt
CHECK=$((iopt + uopt + copt))
if [[ "$CHECK" -gt 1 ]]
then
{
    echo "Error. The arguments -i, -u and -c are exclusive"
    echo "Use 'attacklog -h' to print more info"
    exit 1;
}
fi

# If we got the argument '-h' then print some helpful information
if [[ ! -z $hopt ]]
then
{
    echo "Prints summary of attacks"
    echo "    -i : Show which IPs have tried and failed to connect and how many times"
    echo "    -u : Show which usernames have tried and failed to connect and how many times"
    echo "    -c : Show which username/IP combinations have tried and failed to connect and how many times."
    echo "    -r : Limit output to those related to root login attempts"
    echo "    -s : Show summary on screen rather than writing to $LOG_FILE"
    exit 0;
}
fi

# Create log directory if it does not exist
if [ ! -d "$LOG_DIR" ]; then
    mkdir -p $LOG_DIR
fi

# If we got the argument '-i' then print the IPs that have tried to login and how many times
if [[ ! -z $iopt ]]
then
{
    COL=${IP_COL}
}
fi

# If we got the argument '-u' then print the Usernames that have tried to login and how many times
if [[ ! -z $uopt ]]
then
{
    COL=${USR_COL}
}
fi

# If we got the argument '-c' then print the Usernames and IPs in pairs as they tried to login and how many times
if [[ ! -z $copt ]]
then
{
    COL="${USR_COL},${IP_COL}"
}
fi

# If we got the argument '-r' then only focus on attempts to login as root
if [[ ! -z $ropt ]]
then
{
    cat /var/log/secure | grep -i "Failed password for" | grep "root" | tr -s ' ' |  sed s/invalid\ user\ //g | cut -d' ' -f${COL} | sort | uniq -c | sort -n > ${TMP_FILE}
}
else
{
    cat /var/log/secure | grep -i "Failed password for" | tr -s ' ' |  sed s/invalid\ user\ //g | cut -d' ' -f${COL} | sort | uniq -c | sort -n > ${TMP_FILE}
}
fi

# If we got the argument '-s' then print to the screen instead of writing to log file
if [[ ! -z $sopt ]]
then
{
   cat ${TMP_FILE}
   rm -f ${TMP_FILE}
}
else
{
   mv -f ${TMP_FILE} ${LOG_FILE}
}
fi
networking/linux/view_attacklog.txt · Last modified: by 127.0.0.1