Sawing Linux Logs with Simple Tools - page 2
Good Ole grep
Crafting clever, complex regular expressions is quite fun, and a more worthy use of one's time than comatose drooling in front of "Reality TV." However, there are many simple searches that do the job just fine. You can search
/var/log/auth.logquickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:
$ grep -i "fail" /var/log/auth.log ... Sep 13 16:26:34 server02 PAM_unix: authentication failure; (uid=0) -> root for ssh service Sep 13 16:26:36 server02 sshd: Failed password for root from 188.8.131.52 port 3210 ssh2 Sep 13 16:26:38 server02 PAM_unix: authentication failure; (uid=0) -> root for ssh service Sep 13 16:26:40 server02 sshd: Failed password for root from 184.108.40.206 port 3210 ssh2 ...
Well well, someone came a' knockin' on the SSH (secure shell) door. Knowledge is power--at this point, you could fine-tune your iptables to drop packets from the originating IP, or you could do a little sleuthing to find the source, or you could create a nice honeypot and amuse yourself trapping the no-good person trying to get into your system. You can even count the number of attempts:
$ grep "220.127.116.11" /var/log/auth.log | wc -l 8656
That's a rather persistent little twit, I'd say.
Sponsored by BlackBerry
BlackBerry® Enterprise Server Express enables businesses of any size to quickly and easily get started with the BlackBerry solution. It provides advanced BlackBerry smartphone features with no additional software or user license fees, and works with any Internet-enabled BlackBerry data plan or a BlackBerry enterprise data plan. Download now!