I was playing around with fail2ban (probably an upcoming article) today and wanted to share a one-liner for viewing the top ten ips trying to ssh into your server. Here’s the code.
IPs Trying to SSH into Your Server
top ten ips trying to ssh into your server
# cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 19285 22.214.171.124 18263 126.96.36.199 10899 188.8.131.52 8993 184.108.40.206 8493 220.127.116.11 5391 18.104.22.168 5225 22.214.171.124 4247 126.96.36.199 4182 188.8.131.52 3876 184.108.40.206
- change this to wherever your sshd logs
- match the “Invalid user” string … which is what sshd prints
- pull out the ip address only. This is probably not the most elegant patten, but it works.
- I didn’t even know this was on my system. It will (with the -dc flags) count duplicates in a list
- sort the list of ips in reverse (most entries per ip first)
- keep the top ten (or whatever you choose)
IPs Trying to SSH into Your Server with whois Information
Here is a slightly more complex version that will run a whois search on each ip and send the results to less.
Viewing info for ips
# for domain in `cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 | sed 's/.*[0-9]* //'`; do whois "$domain"; done | less