I was playing around with fail2ban (probably an upcoming article) today and wanted to share a one-liner for viewing the top ten ips trying to ssh into your server. Here’s the code.
IPs Trying to SSH into Your Server
top ten ips trying to ssh into your server
# cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 19285 18.104.22.168 18263 22.214.171.124 10899 126.96.36.199 8993 188.8.131.52 8493 184.108.40.206 5391 220.127.116.11 5225 18.104.22.168 4247 22.214.171.124 4182 126.96.36.199 3876 188.8.131.52
- change this to wherever your sshd logs
- match the “Invalid user” string … which is what sshd prints
- pull out the ip address only. This is probably not the most elegant patten, but it works.
- I didn’t even know this was on my system. It will (with the -dc flags) count duplicates in a list
- sort the list of ips in reverse (most entries per ip first)
- keep the top ten (or whatever you choose)
IPs Trying to SSH into Your Server with whois Information
Here is a slightly more complex version that will run a whois search on each ip and send the results to less.
Viewing info for ips
# for domain in `cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 | sed 's/.*[0-9]* //'`; do whois "$domain"; done | less