Sawing Linux Logs with Simple Tools - page 2
Good Ole grep
Crafting clever, complex regular expressions is quite fun, and a more worthy use of one's time than comatose drooling in front of "Reality TV." However, there are many simple searches that do the job just fine. You can search
/var/log/auth.logquickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:
$ grep -i "fail" /var/log/auth.log ... Sep 13 16:26:34 server02 PAM_unix: authentication failure; (uid=0) -> root for ssh service Sep 13 16:26:36 server02 sshd: Failed password for root from 18.104.22.168 port 3210 ssh2 Sep 13 16:26:38 server02 PAM_unix: authentication failure; (uid=0) -> root for ssh service Sep 13 16:26:40 server02 sshd: Failed password for root from 22.214.171.124 port 3210 ssh2 ...
Well well, someone came a' knockin' on the SSH (secure shell) door. Knowledge is power--at this point, you could fine-tune your iptables to drop packets from the originating IP, or you could do a little sleuthing to find the source, or you could create a nice honeypot and amuse yourself trapping the no-good person trying to get into your system. You can even count the number of attempts:
$ grep "126.96.36.199" /var/log/auth.log | wc -l 8656
That's a rather persistent little twit, I'd say.