Analyse illegal SSH login attempts

Filter the authentication log file for failed authentications and count the attempts (lines in the log file):

grep -i fail /var/log/auth.log | wc -l

Check for all attacks with non existing usernames:

grep -i "Failed password for invalid user" /var/log/auth.log | cut -d " " -f 11 | sort | uniq

result on my machine is:

cs
engel
gamefiles
nagios
oracle
qwerty
teamspeak
tenchi
test
ts
ts2
ts3
WinD3str0y

Check with which user names they were trying to log in:

grep -i "Failed password for invalid user" /var/log/auth.log |
  cut -d " " -f 11 |
  sort |
  uniq |
  while read name
  do
    grep "$name" /var/log/auth.log | wc -l | tr -d "\n"
    echo " $name"
  done | sort -n

result on my machine:

ycs 2
engel 2
gamefiles 2
qwerty 2
tenchi 2
oracle 4
test 4
ts2 4
WinD3str0y 4
nagios 5
ts3 12
teamspeak 24
ts 78

You can also search in all gziped previous auth logs for your analysis. Notice that this might take a long time (15 seconds on my machine)! Use zgrep for this purpose:

tmpfile=/tmp/breakinattempts.txt
zgrep -i "Failed password for invalid user" /var/log/auth.log* >$tmpfile
cat $tmpfile |
  cut -d " " -f 11 |
  sort |
  uniq |
  while read name
do
    cat $tmpfile |
      grep "$name" |
      wc -l |
      tr -d "\n"
  echo " $name"
done | sort -n
rm $tmpfile

the last lines of this analysis of my log files:

[...]
ali 6972
ar 6972
as 6972
au 6972
dale 6972
ed 6972
id 6972
log 6972
password 6972
se 6972
sh 6972
ssh 6972
sw 6972
us 6972
user 6972
va 6972
wolf 6972
word 6972


So now you want to know about break-in attempts for existing users (especially root!):

grep -v -i "Failed password for invalid user" /var/log/auth.log | 
  grep -i "Failed password" | 
  cut -d " " -f 10 |
  sort |
  uniq |
  while read name
do
  grep "$name" /var/log/auth.log | wc -l | tr -d "\n"
  echo " $name"
done | sort -n

my result:

philipp 2
root 641

and for a look in the archives (gziped auth.logs):

tmpfile=/tmp/breakinattempts.txt; zgrep -i -v "Failed password for invalid user" /var/log/auth.log* | grep -i "Failed password" >$tmpfile; cat $tmpfile| cut -d " " -f 10 | sort | uniq | while read line ; do echo -n $line" "; cat $tmpfile | grep "$line" | wc -l; done | sort -n -k 2; rm $tmpfile

again my result:

avahi 1
dhcp 1
messagebus 1
pk 1
gnats 2
sys 2
daemon 3
gdm 3
lp 3
irc 6
games 8
backup 10
bin 10
nobody 11
news 13
www-data 15
mail 24
mysql 29
postgres 40
root 2904
from 3106
sshd 3106

You can put all this into a script and run it automatically via cron to generate the latest analysis once a week or so:

You may want this script to be run automatically by the cron daemon every week (e.g. every sunday at 9:59 pm) change your cronjobs using crontab -e and add the line:

59 21 * * sun /home/philipp/b/analyseBreakinAttempts.sh

Resources:

Comments