(   )
                          (    )
                           (    )
                          (    )
                            )  )
                           (  (                  /\
                            (_)                 /  \  /\
                    ________[_]________      /\/    \/  \
           /\      /\        ______    \    /   /\/\  /\/\
          /  \    //_\       \    /\    \  /\/\/    \/    \
   /\    / /\/\  //___\       \__/  \    \/
  /  \  /\/    \//_____\       \ |[]|     \
 /\/\/\/       //_______\       \|__|      \
/      \      /XXXXXXXXXX\                  \
        \    /_I_II  I__I_\__________________\
               I_I|  I__I_____[]_|_[]_____I
               I_II  I__I_____[]_|_[]_____I
               I II__I  I     XXXXXXX     I
            ~~~~~"   "~~~~~~~~~~~~~~~~~~~~~~~~

Tue, 29 Dec 2009

Viewing the Top-Ten Worst SSH Attackers

If you must maintain an 'open' SSH server, this might come in handy. This is a quick way to view the top ten worst offending SSH attackers in your secure log. It works on Red Hat-based Linux boxen (e.g., CentOS, Fedora), but it can easily be modified for other OS's by just changing the pattern or logfile.

[root@mail ~]# grep 'Failed password for invalid user' /var/log/secure* \ | perl -nle 'print $1 if /from.+?(\d+\.\d+\.\d+\.\d+)/' \ | sort -n | uniq -c | sort -nr | head -n 10 1888 200.123.110.118 1058 187.17.82.179 1010 72.2.10.4 372 201.38.138.2 330 189.19.9.217 250 218.61.35.119 250 210.181.198.94 146 88.199.11.170 140 72.55.164.232 140 115.93.93.123 [root@mail ~]#

posted at: 16:44 | path: / | permalink | Linux, Logs, SSH, Security, Sysadmin, Tips