I was playing around with fail2ban (probably an upcoming article) today and wanted to share a one-liner for viewing the top ten ips trying to ssh into your server. Here’s the code.
IPs Trying to SSH into Your Server
top ten ips trying to ssh into your server
# cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 19285 126.96.36.199 18263 188.8.131.52 10899 184.108.40.206 8993 220.127.116.11 8493 18.104.22.168 5391 22.214.171.124 5225 126.96.36.199 4247 188.8.131.52 4182 184.108.40.206 3876 220.127.116.11
- change this to wherever your sshd logs
- match the “Invalid user” string … which is what sshd prints
- pull out the ip address only. This is probably not the most elegant patten, but it works.
- I didn’t even know this was on my system. It will (with the -dc flags) count duplicates in a list
- sort the list of ips in reverse (most entries per ip first)
- keep the top ten (or whatever you choose)
IPs Trying to SSH into Your Server with whois Information
Here is a slightly more complex version that will run a whois search on each ip and send the results to less.
Viewing info for ips
# for domain in `cat /var/log/messages | grep "Invalid user" | sed 's/.*from \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1/' | uniq -dc | sort -r | head -n 10 | sed 's/.*[0-9]* //'`; do whois "$domain"; done | less