Skip to main content
Unix & Linux

Return to Question

Post Reopened by Jeff Schaller, Stephen Harris, sam, Kiwy, JigglyNaga
added 43 characters in body; edited title
Source Link
JigglyNaga
JigglyNaga
  • 8.1k
  • 1
  • 27
  • 48

How to retrieve counts of IP adressesaddresses from log file?

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2

123.53.163.22 3 2 ->(The columns are: IP address, total Failed, total Accepted)

This is realtedrelated to How to retrieve IP addresses of possible ssh attackers?

How to retrieve IP adresses?

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2 -> IP, Failed, Accepted

This is realted to How to retrieve IP addresses of possible ssh attackers?

How to retrieve counts of IP addresses from log file?

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2

(The columns are: IP address, total Failed, total Accepted)

This is related to How to retrieve IP addresses of possible ssh attackers?

added 24 characters in body
Source Link
sam
sam
  • 23.3k
  • 4
  • 25
  • 30

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2 Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2 -> IP, Failed, Accepted

This is realted to How to retrieve IP addresses of possible ssh attackers?

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2 Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2 -> IP, Failed, Accepted

This is realted to How to retrieve IP addresses of possible ssh attackers?

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2 -> IP, Failed, Accepted

This is realted to How to retrieve IP addresses of possible ssh attackers?

added 664 characters in body
Source Link
DataBach
DataBach
  • 153
  • 6

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2 Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2 -> IP, Failed, Accepted

This is realted to How to retrieve IP addresses of possible ssh attackers?

I am checking a log file to retrieve ip adresses plus how many times a log failed. Now, I want to also check for how many times the log was accepted.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2 -> IP, Failed, Accepted

This is realted to How to retrieve IP addresses of possible ssh attackers?

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2 Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2 Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2 -> IP, Failed, Accepted

This is realted to How to retrieve IP addresses of possible ssh attackers?

Post Closed as "Needs details or clarity" by Sparhawk, Ipor Sircer, G-Man Says 'Reinstate Monica', RalfFriedl, Jeff Schaller
Source Link
DataBach
DataBach
  • 153
  • 6