I was playing around with fail2ban (probably an upcoming article) today and wanted to share a one-liner for viewing the top ten ips trying to ssh into your server. Here’s the code.
IPs Trying to SSH into Your Server
top ten ips trying to ssh into your server
# cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 19285 220.127.116.11 18263 18.104.22.168 10899 22.214.171.124 8993 126.96.36.199 8493 188.8.131.52 5391 184.108.40.206 5225 220.127.116.11 4247 18.104.22.168 4182 22.214.171.124 3876 126.96.36.199
- change this to wherever your sshd logs
- match the “Invalid user” string … which is what sshd prints
- pull out the ip address only. This is probably not the most elegant patten, but it works.
- I didn’t even know this was on my system. It will (with the -dc flags) count duplicates in a list
- sort the list of ips in reverse (most entries per ip first)
- keep the top ten (or whatever you choose)
IPs Trying to SSH into Your Server with whois Information
Here is a slightly more complex version that will run a whois search on each ip and send the results to less.
Viewing info for ips
# for domain in `cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 | sed 's/.*[0-9]* //'`; do whois "$domain"; done | less