about photos bookshelf portfolio blog home
Begin main content

Simple /var/log/secure analysis

I could hear my development server hard drive ticking over more than normal, so I thought I'd check it out. It turned out that I had someone running a script against my ssh server looking for standard usernames. Not likely. My remote root access is turned off (of course) and theres very few usernames (all custom) with password login enabled.

I turned on the intrusion filter on my firewall, so we'll see how that goes. Hopefully it won't impede real connections to my cvs etc.

For completeness I thought I'd add the ip address to the blacklist in my firewall. I saw a sea of attempted connections in my /var/log/secure log and came up with this very shell simple script to sift hack attempts out from bad typing days by either myself or my clients. In case it's useful for anyone I thought I'd blog it:

for ip in `awk '/Illegal user/ {print $10}' /var/log/secure |sort -u`; do echo "$ip : "`grep -c $ip /var/log/secure`; done

It makes some pretty wild assumptions but it did the trick for me. It gives output like:

202.136.62.130 : 16
210.0.204.27 : 762
211.137.76.105 : 887
218.247.185.214 : 29
???.133.81.251 : 4
??.143.0.183 : 4
61.187.8.54 : 329
??.205.204.190 : 5
I whacked it in a root cron file so I'll get a report each day. (Note I anonymized the low count ip's because I assume that it's me or a client just typing our usernames poorly.)

02:36 AM, 10 Oct 2006 by Mark Aufflick Permalink

Add comment