Begin main content

Simple /var/log/secure analysis

I could hear my development server hard drive ticking over more than normal, so I thought I'd check it out. It turned out that I had someone running a script against my ssh server looking for standard usernames. Not likely. My remote root access is turned off (of course) and theres very few usernames (all custom) with password login enabled.

I turned on the intrusion filter on my firewall, so we'll see how that goes. Hopefully it won't impede real connections to my cvs etc.

For completeness I thought I'd add the ip address to the blacklist in my firewall. I saw a sea of attempted connections in my /var/log/secure log and came up with this very shell simple script to sift hack attempts out from bad typing days by either myself or my clients. In case it's useful for anyone I thought I'd blog it:

for ip in `awk '/Illegal user/ {print $10}' /var/log/secure |sort -u`; do echo "$ip : "`grep -c $ip /var/log/secure`; done

It makes some pretty wild assumptions but it did the trick for me. It gives output like:

202.136.62.130 : 16
210.0.204.27 : 762
211.137.76.105 : 887
218.247.185.214 : 29
???.133.81.251 : 4
??.143.0.183 : 4
61.187.8.54 : 329
??.205.204.190 : 5
I whacked it in a root cron file so I'll get a report each day. (Note I anonymized the low count ip's because I assume that it's me or a client just typing our usernames poorly.)

02:36 AM, 10 Oct 2006 by Mark Aufflick Permalink | Short Link

works great!

Thanks Mark, this was very helpful! I had to use "Invalid user" as the grep string, instead of "Illegal user", but otherwise works for me (running a CentOS plesk server). Hopefully blocking these bad IPs will solve our FTP time-out/disconnect issues, but that may be an entirely different issue. These IPs keep slamming the server with requests, so I'm sure it's slowing things down. Jason

by Unregistered Visitor on 09/15/09

Helpful

Thanks for this. I came to this page from a search for the same reason (/var/log/secure log messages) and found I have 3-4 thousand attempts per ip! Looking up how to turn on this firewall you mention... As above, I had to use 'Invalid user'

by Unregistered Visitor on 03/02/10

Add comment