October 24, 2014
 
 
RSSRSS feed

Sawing Linux Logs with Simple Tools - page 2

Good Ole grep

  • September 20, 2004
  • By Carla Schroder

Crafting clever, complex regular expressions is quite fun, and a more worthy use of one's time than comatose drooling in front of "Reality TV." However, there are many simple searches that do the job just fine. You can search

/var/log/auth.log
quickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:

$ grep -i "fail" /var/log/auth.log
...
 Sep 13 16:26:34 server02 PAM_unix[27462]: authentication failure; (uid=0) -> root for
 ssh service
 Sep 13 16:26:36 server02 sshd[27462]: Failed password for root from 12.34.45.67 port 
 3210 ssh2
 Sep 13 16:26:38 server02 PAM_unix[27464]: authentication failure; (uid=0) -> root for 
 ssh service
 Sep 13 16:26:40 server02 sshd[27464]: Failed password for root from 12.34.45.67 port 
 3210 ssh2
...

Well well, someone came a' knockin' on the SSH (secure shell) door. Knowledge is power--at this point, you could fine-tune your iptables to drop packets from the originating IP, or you could do a little sleuthing to find the source, or you could create a nice honeypot and amuse yourself trapping the no-good person trying to get into your system. You can even count the number of attempts:

$ grep "12.34.45.67" /var/log/auth.log | wc -l
8656

That's a rather persistent little twit, I'd say.

Sitemap | Contact Us