2

I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:

Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.

How do I extend

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

to also check for accepted passwords? Something like

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c

But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:

123.53.163.22 3 2

(The columns are: IP address, total Failed, total Accepted)

This is related to How to retrieve IP addresses of possible ssh attackers?

Improve this question
1
  • From the command that you have, we can guess what your input might look like.   We don't like to guess.   Show a representative example of what your input looks like and what output you want to get. Commented Dec 3, 2018 at 16:40

1 Answer 1

Reset to default
2

Given the scant sample ....

cat horbaje
Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173

This, I think, does what you want:

awk '$6~/Failed/{a[$11][1]++}; $6~/Accepted/{a[$11][2]++} END{for(i in a){printf "%s\t%s\t%s\n",i,a[i][1],a[i][2]}}' horbaje
143.100.67.173  5   1
Improve this answer
4
  • 1
    Thank you tink, that was very helpful in solving my problem! Commented Dec 5, 2018 at 19:58
  • Pleased to hear =} Commented Dec 5, 2018 at 20:13
  • Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) ? Commented Dec 8, 2018 at 13:07
  • 1
    I'd do something like this: awk '{ip=gensub(/.* from ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/,"\\1","1",$0);print ip} $6~/Failed/{a[ip][1]++}; $6~/Accepted/{a[ip][2]++} END{for(i in a){printf "%s\t%s\t%s\n",i,a[i][1],a[i][2]}}{}ip=""' horbaje Commented Dec 8, 2018 at 18:29

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.