| by Pavlos

Monitoring /var/log/auth.log for intrusion

# Monitoring /var/log/auth.log for intrusion
#
# REF: https://unix.stackexchange.com/questions/123029/history-of-ip-addresses-that-accesed-a-server-via-ssh
# REF: https://unix.stackexchange.com/questions/190907/how-to-retrieve-ip-addresses-of-possible-ssh-attackers
# feb 2018
#

# sample /var/log/auth.log
=====
Feb 22 14:06:03 zentyal sshd[28061]: Failed password for root from 115.238.245.4 port 35807 ssh2
Feb 22 14:06:03 zentyal sshd[28061]: Received disconnect from 115.238.245.4: 11: [preauth]
Feb 22 14:06:03 zentyal sshd[28061]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.238.245.4
user=root
Feb 22 14:06:09 zentyal sshd[28068]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.23
8.245.4 user=root
Feb 22 14:06:10 zentyal sshd[28068]: Failed password for root from 115.238.245.4 port 32916 ssh2
Feb 22 14:06:13 zentyal sshd[28068]: Failed password for root from 115.238.245.4 port 32916 ssh2
=====

# This will list IPs and the number of times each IP tried …

grep “Failed password for” /var/log/auth.log | grep -Po “[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+” | sort | uniq -c

1 43.229.205.182
1 47.223.140.95
2786 5.188.86.46
1 54.2.63.218
2 59.182.130.89
3 61.6.107.192
7 66.84.25.210
4 78.165.8.203

# this will grep rhost= which lists the hostname/ip of who tried.
# Then use geoiplookup from the geoip-bin package to get the Country.

zgrep sshd /var/log/auth.log* | grep rhost | sed -re ‘s/.*rhost=([^ ]+).*/\1/’ | sort -u

web1.status-telecom.ru
wsip-70-169-35-74.tu.ph.cox.net
wsip-70-182-157-6.br.br.cox.net
www2.daniweb.com
www2.hcchurch.org.tw
xplr-204-237-24-107.xplornet.com
y117067.ppp.asahi-net.or.jp

# another one liner to count all failed atempts and sort them in descending order (hi-lo)

awk ‘/Failed/ {x[$(NF-3)]++} END {for (i in x){printf “%3d %s\n”, x[i], i}}’ /var/log/auth.log | sort -nr

588 119.249.54.217
499 185.143.223.4
459 103.213.115.45
348 209.92.176.114
113 37.72.176.165
80 35.201.226.248

# Also, look at other packages like fail2ban and http://denyhosts.sourceforge.net/

END

Leave a Reply