Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Another question for tracking failed logins via script

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Another question for tracking failed logins via script
# 1  
Old 01-19-2010
Another question for tracking failed logins via script
Hello Experts,

I have this initial shell script that tracks failed login attempts:

Code:
#!/bin/bash

#Fetch failed user logins to file failed-logins.txt
grep -i failed /var/log/secure | awk '{ print $1, $2"  ", $3"  ", $9"  ", $11 }' > failed-logins.txt

#Splitting the failed-logins in INVALID & VALID 

cat failed-logins.txt | grep -i invalid > invalid-failed-logins.txt
cat failed-logins.txt | grep -v invalid > valid-failed-logins.txt

and have the ff output for valid-failed-logins:

Jan 18 14:15:03 root 218.104.65.210
Jan 18 14:15:07 root 218.104.65.210
Jan 18 14:15:11 root 218.104.65.210
Jan 18 14:15:23 root 218.104.65.210
Jan 18 14:15:26 root 218.104.65.210
Jan 18 14:15:31 root 218.104.65.210
Jan 18 14:15:35 root 218.104.65.210
Jan 18 14:15:38 root 218.104.65.210
Jan 18 14:15:47 root 218.104.65.210
Jan 18 14:15:57 root 218.104.65.210
Jan 18 14:16:00 root 218.104.65.210
Jan 18 14:16:04 root 218.104.65.210
Jan 18 14:16:50 root 218.104.65.210
Jan 18 14:16:53 root 218.104.65.210
Jan 18 14:16:57 root 218.104.65.210
Jan 18 14:17:01 root 218.104.65.210
Jan 18 14:17:04 root 218.104.65.210
Jan 18 14:17:08 root 218.104.65.210
Jan 18 14:17:12 root 218.104.65.210
Jan 18 14:22:56 root 59.76.81.123
Jan 18 14:32:17 root 220.78.22.250
Jan 18 14:32:21 root 220.78.22.250
Jan 18 14:32:24 root 220.78.22.250
Jan 18 14:32:26 root 220.78.22.250
Jan 18 14:32:29 root 220.78.22.250
Jan 18 14:32:33 root 220.78.22.250
Jan 18 14:32:36 root 220.78.22.250
Jan 18 14:32:39 root 220.78.22.250
Jan 18 14:32:41 root 220.78.22.250
Jan 18 14:32:44 root 220.78.22.250
Jan 18 14:32:47 root 220.78.22.250
Jan 18 14:32:50 root 220.78.22.250
Jan 18 14:32:57 root 220.78.22.250
Jan 18 18:22:35 root 119.111.70.244
Jan 18 18:22:41 root 119.111.70.244
Jan 18 21:31:07 root 209.151.232.70
Jan 18 21:31:09 root 209.151.232.70
Jan 18 21:31:13 root 209.151.232.70
Jan 18 21:31:16 root 209.151.232.70
Jan 18 21:31:19 root 209.151.232.70
Jan 18 21:31:22 root 209.151.232.70
Jan 18 21:31:25 root 209.151.232.70
Jan 18 21:31:28 root 209.151.232.70
Jan 18 21:31:32 root 209.151.232.70
Jan 18 21:31:34 root 209.151.232.70
Jan 18 21:31:38 root 209.151.232.70
Jan 18 21:31:41 root 209.151.232.70

Can you help me how to get the total failed login attempts from each source?
For e.g.

Jan 18 21:31:13 root 209.151.232.70 = 12 attempts
# 2  
Old 01-19-2010
one hint for you you can use awk or sed to get the ip address . Then you can use "uniq" command to find the no of failed attempts .

uniq -c or check the details in man pages.
# 3  
Old 01-19-2010
There are some tools to track failed logins in ssh : denyhosts and fail2ban.
The first one tracks unsuccessful logins in /var/log/auth.log (but you can specify another file) and puts the incriminated IP in /etc/hosts.deny (after a number of tries) you can also specify your own commands to be executed.
It manages a couple of files : user-valid, user-invalid, hosts-valid, hosts-invalid...
Maybe that can be a kind of interest for you.
# 4  
Old 01-19-2010
Code:
awk '{a[$NF]++} END {for (i in a) {print i " = " a[i] " attempt(s)"}}' valid-failed-logins.txt
209.151.232.70 = 12 attempt(s)
119.111.70.244 = 2 attempt(s)
220.78.22.250 = 13 attempt(s)
59.76.81.123 = 1 attempt(s)
218.104.65.210 = 19 attempt(s)

# 5  
Old 01-19-2010
Hi rdcwayx,

Wow, its pretty simple but can you explain me the code since i'm new to awk programming:

Thank you.
# 6  
Old 01-20-2010
a[$NF] builds the array on last column, count it. Finally, print array.
# 7  
Old 01-20-2010
Thanks rdcwayx.. but i'm confuse how will I insert the first 3 fields ( date, time, account ) ?

I'm trying to do it but i'm getting incorrect results.

I appreciate much your replies.
Last edited by linuxgeek; 01-20-2010 at 04:14 AM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Tracking change inside the script

we have more then 10 jobs scheduled in cronjob.. but we can see some of the script has been changed without any notification.. can we write any script which captures any changes inside the scripts with time of change and user name like .. or any other option apart from this ?? Plz help .. (4 Replies)
Discussion started by: netdbaind
4 Replies

2. Solaris

loginlog not registering failed logins

Hello guys, I made a loginlog file to register failed login attempts on my sun-blade 1500 server ( just studying at home) . The code below is how I created the file : # touch /var/adm/loginlog # chmod 600 /var/adm/loginlog # chgrp sys /var/adm/loginlog After creating the file, I... (1 Reply)
Discussion started by: cjashu
1 Replies

3. Solaris

Solaris logs - Tracking failed attempts from my host

Hey all I'm having a big problem here. Someone is attempting an SSH to a destination host on which an account resides and locking the account. I'm trying to determine who is performing the SSH attempts from my host. For instance they're logged in as their standard account but then (I'm assuming)... (13 Replies)
Discussion started by: MaindotC
13 Replies

4. AIX

AIX ftp/sftp script monitor to failed logins

Hi All, Any idea on how to write a script on AIX 5.3 to monitor ftp or sftp login failed. Thanks and more power, Itik (2 Replies)
Discussion started by: itik
2 Replies

5. Shell Programming and Scripting

Run a script in two differnt logins

Hi, I need to run a script in two different login's in the same server, but it is running only in one login, i have used the corresponding PATH for each login, but still it says " not authorized to put msg in queue". (2 Replies)
Discussion started by: savithavijay
2 Replies

6. Shell Programming and Scripting

Help with shell script which logins to hosts

By a shell script When I am logging into hosts one by one with ssh. I am getting below message. Pseudo-terminal will not be allocated because stdin is not a terminal. stty: : Invalid argument stty: : Invalid argument Can you please suggest what should I do to stop this? ... (10 Replies)
Discussion started by: KuldeepSinghTCS
10 Replies

7. Shell Programming and Scripting

Last two logins script

This is the contents of my file: donald.duck 12/07/2009 12:07:58 donald.duck 12/07/2009 12:17:36 donald.duck 12/07/2009 12:22:29 donald.duck 12/07/2009 12:26:39 donald.duck 12/07/2009 12:28:01 mickey.mouse 12/07/2009 12:48:49 mickey.mouse 12/07/2009 12:49:33 mickey.mouse 12/07/2009... (3 Replies)
Discussion started by: diallo0024
3 Replies

8. Shell Programming and Scripting

Shell script in tracking both the passed and failed login in a unix server

Can you help me in providing the following output or a quite similar to this from a shell script ? *** Logins Summary Information ***** ---------------------------------- Failed Login Attempts for Invalid Accounts Date Time IP-ADD Account ... (0 Replies)
Discussion started by: linuxgeek
0 Replies

9. Shell Programming and Scripting

Script for tracking from directory to file

Hi , I am pretty new to scripting, and I trying to write a script which is not working as I expect to .... I am trying to write a script which starts from top directory and tracks all the folders and sub-folders till it reaches a file and gives the list of files as output for a given... (2 Replies)
Discussion started by: Rahul00000
2 Replies

10. HP-UX

limiting failed logins to three

I have tried limiting failed logins to three by the following method logins -ox \ | awk -F: '($8 != "LK" && $1 != "root") { print $1 }' \ | while read logname; do /usr/lbin/modprpw -m umaxlntr=3 "$logname" done /usr/lbin/modprdef -m umaxlntr=3 but it is failing on the 4th... any ideas?... (1 Reply)
Discussion started by: csaunders
1 Replies
Login or Register to Ask a Question