I was playing around with fail2ban (probably an upcoming article) today and wanted to share a one-liner for viewing the top ten ips trying to ssh into your server. Here’s the code.
IPs Trying to SSH into Your Server
top ten ips trying to ssh into your server
# cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 19285 184.108.40.206 18263 220.127.116.11 10899 18.104.22.168 8993 22.214.171.124 8493 126.96.36.199 5391 188.8.131.52 5225 184.108.40.206 4247 220.127.116.11 4182 18.104.22.168 3876 22.214.171.124
- change this to wherever your sshd logs
- match the “Invalid user” string … which is what sshd prints
- pull out the ip address only. This is probably not the most elegant patten, but it works.
- I didn’t even know this was on my system. It will (with the -dc flags) count duplicates in a list
- sort the list of ips in reverse (most entries per ip first)
- keep the top ten (or whatever you choose)
IPs Trying to SSH into Your Server with whois Information
Here is a slightly more complex version that will run a whois search on each ip and send the results to less.
Viewing info for ips
# for domain in `cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 | sed 's/.*[0-9]* //'`; do whois "$domain"; done | less