
                           (   )
                          (    )
                           (    )
                          (    )
                            )  )
                           (  (                  /\
                            (_)                 /  \  /\
                    ________[_]________      /\/    \/  \
           /\      /\        ______    \    /   /\/\  /\/\
          /  \    //_\       \    /\    \  /\/\/    \/    \
   /\    / /\/\  //___\       \__/  \    \/
  /  \  /\/    \//_____\       \ |[]|     \
 /\/\/\/       //_______\       \|__|      \
/      \      /XXXXXXXXXX\                  \
        \    /_I_II  I__I_\__________________\
               I_I|  I__I_____[]_|_[]_____I
               I_II  I__I_____[]_|_[]_____I
               I II__I  I     XXXXXXX     I
            ~~~~~"   "~~~~~~~~~~~~~~~~~~~~~~~~

Tue, 29 Dec 2009

Viewing the Top-Ten Worst SSH Attackers

If you must maintain an 'open' SSH server, this might come in handy. This is a quick way to view the top ten worst offending SSH attackers in your secure log. It works on Red Hat-based Linux boxen (e.g., CentOS, Fedora), but it can easily be modified for other OS's by just changing the pattern or logfile.


[root@mail ~]# grep 'Failed password for invalid user' /var/log/secure* \
| perl -nle 'print $1 if /from.+?(\d+\.\d+\.\d+\.\d+)/' \
| sort -n | uniq -c | sort -nr | head -n 10
   1888 200.123.110.118
   1058 187.17.82.179
   1010 72.2.10.4
    372 201.38.138.2
    330 189.19.9.217
    250 218.61.35.119
    250 210.181.198.94
    146 88.199.11.170
    140 72.55.164.232
    140 115.93.93.123
[root@mail ~]#

posted at: 16:44 | path: / | permalink | Linux, Logs, SSH, Security, Sysadmin, Tips

The Lonely Cabin

Tue, 29 Dec 2009

Viewing the Top-Ten Worst SSH Attackers

Pages:

My SDF Stuff

Links

Archives: