Categories
Linux

Who’s trying to break in to your Linux box?

Fun with pipes! Just a quick Bash snippet for getting a good look at who’s attempting to log in to your Linux or other standard GNU system:

#shell> lastb -w | sort | awk '{print $1, "\t", $3}' | uniq | less

Here’s a quick summary of what’s going on here:

lastb reads and echoes the contents of the failed login database, generally located at /var/log/btmp. The -w flag just ensures it doesn’t ellipse or otherwise cut-off the username field.

sort very simply sorts the output of lastb alphabetically.

This awk snippet prints the 1st and 3rd columns of the sorted lastb output, which are username and source address respectively, separating them with a tab for ease of reading.

uniq gets rid of any duplicate entries, but only if they are on adjacent lines. This is another reason we used sort earlier.

Finally, less is just a decent file reader. Feel free to replace with output redirection to a file.

And the output. IP addresses randomised to defend the privacy of my attackers:

123456   89.101.45.51
123      89.101.45.51
1        63.200.120.14
2014     63.200.120.14
2015     63.200.120.14
2        63.200.120.14
aaa      63.200.120.14
aaron    63.200.120.14
aa       63.200.120.14
abc123   17.252.186.40
abc123   42.22.165.211
abc123   mail2.example.website.ru

…plus your typical number of root, admin, test, oracle and mysql attempts. Can’t quite explain the xxxxxxxxxxxxxxxxxx attempt though.

7 replies on “Who’s trying to break in to your Linux box?”

Take a look into Fail2Ban, if you haven’t already. I implemented it on December 14th:

cat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort -k 1,1M -k 2n | uniq -c
9306 Dec 7
9714 Dec 8
9288 Dec 9
7392 Dec 10
4848 Dec 11
1089 Dec 12
4103 Dec 13
3656 Dec 14
73 Dec 15
29 Dec 16
78 Dec 17
62 Dec 18
31 Dec 19
25 Dec 20

A great tutorial is here: https://help.ubuntu.com/community/Fail2ban

A couple of tweaks: 1) lower your maxretry count to 1 or 2, unless you’re terrible at typing your own password remotely. 2) Lengthen the lockout timer. It seems that some of the guys attempting remote access will retry after the default fail2ban time of 10 min.

Absolutely, Fail2ban is an excellent program and I have it running on all of my machines. Fail2ban tweaks are always appreciated – cheers!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.