2

I'm trying to get over the /var/log/secure log file, and show only the "Failed Password" log type, which appear at least 3 times.. There is any way to do that using linux commands only? awk? grep?

An example for secure log,

Mar 20 08:38:28 localhost sshd[21895]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root 
Mar 20 08:38:31 localhost sshd[21895]: Failed password for root from 207.210.101.209 port 2854 ssh2 
Mar 20 15:38:31 localhost sshd[21896]: Received disconnect from 207.210.101.209: 11: Bye Bye 
Mar 20 08:38:32 localhost unix_chkpwd[21900]: password check failed for user (root) 
Mar 20 08:38:32 localhost sshd[21898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=she

from this log file I expect say nothing because there is only 1 Failed Password line, but lets say there were 4 lines of "Failed Password", with the same IP - I want to display the IP address which probably trying to brute force me..

Improve this question
1
  • 1
    can you post the sample contents or /var/log/secure log file Commented Dec 9, 2016 at 16:57

2 Answers 2

Reset to default
0

This is just a way to do the job. Instead of username, I prefer count how many times a specific IP address try to connect to my host, because then I can eventually ban it.

awk '/Failed password/{ z[$11]++; } 
     END{ 
       for (i in z){ 
         if (z[i]>3) printf("%s attemps %s times.\n", i, z[i])
       }
}' /var/log/secure

(Of course it can be a oneliner command, I indented to increase readability.)

Explanation:

awk reads the log file line by line. If a line contain the string /Failed password/ increment an array element z[$11]++ index by $11 (i.e. the IP address): I use this as a counter. At the end, search in the array z[$11] and print only the IP addresses that have tried to connect more than 3 times.
You can customize the check and the print message as you like.

If your concern are the brute-force attempts, may I suggest you to use an existing tool as Fail2ban which scans log files and bans IPs that show the malicious signs (for examples: too many password failures, seeking for exploits, etc..). It's easy to understand and configure to fit your needs.

Improve this answer
2
  • Can you please explain your solution? Thank you for your help! Commented Dec 9, 2016 at 23:30
  • Hi, I'm trying to execute that script via subprocess as you can see : p=subprocess.Popen(["awk '/Failed password/' {z[$8]++;}END {printf("lala")}' secure"],stdout=subprocess.PIPE,shell=True) and I'm getting syntax error. Every thing works fine, except for the print inside the END { }, What I'm doing wrong? Commented Dec 11, 2016 at 1:23
0 
$ awk '/Failed password/{for(i=1;i<=NF;i++)if($i~/for/)user[$(i+1)]++}END{for(j in user){if(user[j]>3){printf("%s : %s times failed\n",j,user[j])}}}' /var/log/secure
Improve this answer
12
  • If I understand the question correctly, then I think, your answer does not do, what OP is asking for. Commented Dec 9, 2016 at 17:58
  • can you explain what OP is asking for ? if you have sample contents of secure file, can you post... Commented Dec 9, 2016 at 18:01
  • /var/log/secure holds lines like "DATE HOST DAEMON: Failed Password for user kamaraj ip 12.34.56.78 port 3456". (I think) he wants the usernames/IPs, that have tried/failed 3 times or more. Commented Dec 9, 2016 at 18:07
  • hmm.. lets wait for OP to provide the exact requirement and example file contents... Commented Dec 9, 2016 at 18:08
  • Yeah, I'm also waiting for clarification. Commented Dec 9, 2016 at 18:10

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.