Fun with pipes! Just a quick Bash snippet for getting a good look at who’s attempting to log in to your Linux or other standard GNU system:
#shell> lastb -w | sort | awk '{print $1, "\t", $3}' | uniq | less
Here’s a quick summary of what’s going on here:
lastb reads and echoes the contents of the failed login database, generally located at /var/log/btmp. The -w flag just ensures it doesn’t ellipse or otherwise cut-off the username field.
sort very simply sorts the output of lastb alphabetically.
This awk snippet prints the 1st and 3rd columns of the sorted lastb output, which are username and source address respectively, separating them with a tab for ease of reading.
uniq gets rid of any duplicate entries, but only if they are on adjacent lines. This is another reason we used sort earlier.
Finally, less is just a decent file reader. Feel free to replace with output redirection to a file.
And the output. IP addresses randomised to defend the privacy of my attackers:
123456 89.101.45.51
123 89.101.45.51
1 63.200.120.14
2014 63.200.120.14
2015 63.200.120.14
2 63.200.120.14
aaa 63.200.120.14
aaron 63.200.120.14
aa 63.200.120.14
abc123 17.252.186.40
abc123 42.22.165.211
abc123 mail2.example.website.ru
…plus your typical number of root, admin, test, oracle and mysql attempts. Can’t quite explain the xxxxxxxxxxxxxxxxxx attempt though.
7 replies on “Who’s trying to break in to your Linux box?”
I feel sad and left out. No one has tried to pwn my box. D:
Not as sad as the people who own entire IP blocks and use them to attack my server…
root@caira:/var# lastb -w | sort | awk ‘{print $1, “\t”, $3}’ | uniq | wc -l
3860
Removing the uniq from that should be impressive!
7858
Take a look into Fail2Ban, if you haven’t already. I implemented it on December 14th:
cat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort -k 1,1M -k 2n | uniq -c
9306 Dec 7
9714 Dec 8
9288 Dec 9
7392 Dec 10
4848 Dec 11
1089 Dec 12
4103 Dec 13
3656 Dec 14
73 Dec 15
29 Dec 16
78 Dec 17
62 Dec 18
31 Dec 19
25 Dec 20
A great tutorial is here: https://help.ubuntu.com/community/Fail2ban
A couple of tweaks: 1) lower your maxretry count to 1 or 2, unless you’re terrible at typing your own password remotely. 2) Lengthen the lockout timer. It seems that some of the guys attempting remote access will retry after the default fail2ban time of 10 min.
Absolutely, Fail2ban is an excellent program and I have it running on all of my machines. Fail2ban tweaks are always appreciated – cheers!