Nobody likes to log into their server to see there have been over 31,00 failed login attempts in a few days!!
[andy@bashful ~]$ ssh [email protected] Last failed login: Sun Feb 8 16:31:28 UTC 2015 from 218.65.30.73 on ssh:notty There were 31673 failed login attempts since the last successful login. Last login: Tue Feb 3 19:26:42 2015 [root@bashful ~]#
I clearly need to make some improvements here! However first I want to record the number of failed login attempts so I can compare later, after my changes.
Failed SSH login attempts are logged in /var/log/secure. Here we use a number of commands to get the information we want.
First I want to see what date the log file starts from. We do this with the head command and just look at the top line.
[root@bashful ~]# head -n 1 /var/log/secure Feb 1 04:55:13 bashful sshd[21542]: reverse mapping checking getaddrinfo for 147.4.161.222.adsl-pool.jlccptt.net.cn [222.161.4.147] failed - POSSIBLE BREAK-IN ATTEMPT!
Not too surprisingly it logs upto the current date. Here we look at the last line.
[root@bashful ~]# tail -n 1 /var/log/secure Feb 8 17:53:11 bashful sshd[1748]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.14 user=root
You can use the less command of course to view the whole file if you wish. From within less, you can use the “Home” and “End” keys to jump from the top of the file to the bottom.
[root@bashful ~]# less /var/log/secure
Another useful tip – to search forward for a particular word, use the forward slash (/) symbol followed by the search pattern. You can also search up the way, using the question mark symbol (?) followed by the search string.
Next you might want to see how many failed login attempt there were in just one given day. Here we use grep strip out everything other than the day we are interesting in. Here we pipe it into less because there may be a lot of results.
[root@bashful ~]# grep "Feb 8" /var/log/secure | less
Now we want to search for the failed number of root login attempts. Here we use “-i” to ignore the case. Again we pipe into less to check.
[root@bashful ~]# grep "Feb 8" /var/log/secure | grep -i "failed password for root" | less
It makes sense to count the number of lines to see how many failed attempts there have been. We do this with the wc command giving it the “-l” argument to count the lines.
[root@bast ~]# grep "Feb 8" /var/log/secure | grep -i "failed password for root" | wc -l 5269
You might also want to see what other usernames, (other than root) were tried. The “-v” option does just that. The do need to adjust the second grep search pattern to include all login attempts – “failed password for”.
[root@bashful ~]# grep "Feb 8" /var/log/secure | grep -i "failed password for" | grep -v "root" Feb 8 06:33:43 bashful sshd[12070]: Failed password for invalid user ubnt from 213.182.43.222 port 5461 ssh2 Feb 8 06:33:47 bashful sshd[12074]: Failed password for invalid user admin from 213.182.43.222 port 5680 ssh2 Feb 8 06:33:54 bashful sshd[12079]: Failed password for invalid user guest from 213.182.43.222 port 6203 ssh2 Feb 8 06:33:58 bashful sshd[12081]: Failed password for invalid user admin from 213.182.43.222 port 6487 ssh2 Feb 8 06:34:02 bashful sshd[12083]: Failed password for invalid user support from 213.182.43.222 port 6709 ssh2 Feb 8 06:34:06 bashful sshd[12085]: Failed password for invalid user test from 213.182.43.222 port 6960 ssh2 Feb 8 06:34:09 bashful sshd[12117]: Failed password for invalid user user from 213.182.43.222 port 7189 ssh2 Feb 8 08:11:34 bashful sshd[14988]: Failed password for invalid user support from 62.4.9.24 port 60782 ssh2 Feb 8 08:11:37 bashful sshd[14991]: Failed password for invalid user admin from 62.4.9.24 port 53004 ssh2 Feb 8 08:12:46 bashful sshd[15033]: Failed password for invalid user ftpuser from 62.4.9.24 port 52349 ssh2 Feb 8 08:13:24 bashful sshd[15055]: Failed password for ftp from 62.4.9.24 port 50704 ssh2 Feb 8 08:13:28 bashful sshd[15058]: Failed password for invalid user admIndian from 62.4.9.24 port 57960 ssh2 Feb 8 08:13:45 bashful sshd[15063]: Failed password for invalid user webmaster from 62.4.9.24 port 58351 ssh2 Feb 8 08:13:58 bashful sshd[15065]: Failed password for invalid user sales from 62.4.9.24 port 51314 ssh2 Feb 8 08:14:10 bashful sshd[15097]: Failed password for invalid user demo from 62.4.9.24 port 53511 ssh2 Feb 8 17:26:41 bashful sshd[407]: Failed password for invalid user paras from 61.132.161.130 port 54894 ssh2 Feb 8 17:26:51 bashful sshd[421]: Failed password for invalid user nan from 61.132.161.130 port 57520 ssh2 Feb 8 17:27:02 bashful sshd[439]: Failed password for invalid user r00t from 61.132.161.130 port 60222 ssh2 Feb 8 17:27:07 bashful sshd[445]: Failed password for invalid user payment from 61.132.161.130 port 33047 ssh2 Feb 8 17:27:17 bashful sshd[461]: Failed password for invalid user xVIRal from 61.132.161.130 port 35380 ssh2 Feb 8 17:27:23 bashful sshd[473]: Failed password for invalid user nan from 61.132.161.130 port 36682 ssh2 [root@bashful ~]#
For now I am more worried about my root user and want to see how many failed root login attempt there were for each day in the log file, which in this example is the 1st to the 8th of February. We do this by using the same command as before but sticking it in a loop. So the command is:
grep "Feb 8" /var/log/secure | grep -i "failed password for root" | less
But we can put this in a loop like so.
[root@bashful ~]# for i in $(seq 1 8); do grep "Feb $i" /var/log/secure | grep -i "failed password for root" | wc -l; done 515 388 14042 6815 3536 4307 9200 5269
And just for clarity we add a message on each day using the echo command.
[root@bashful ~]# for i in $(seq 1 8); do echo "Failed root login attempts on Feb $i:"; grep "Feb $i" /var/log/secure | grep -i "failed password for root" | wc -l; done Failed root login attempts on Feb 1: 515 Failed root login attempts on Feb 2: 388 Failed root login attempts on Feb 3: 14042 Failed root login attempts on Feb 4: 6815 Failed root login attempts on Feb 5: 3536 Failed root login attempts on Feb 6: 4307 Failed root login attempts on Feb 7: 9200 Failed root login attempts on Feb 8: 5269 [root@bashful ~]#
Now I need to secure my server!!….but that’s another post folks!
Be the first to comment