Sawing Linux Logs with Simple Tools
More Simple Stuff
Carla Schroder
Monday, September 20, 2004 11:22:15 AM
Crafting clever,
complex regular expressions is quite fun, and a more worthy use of
one's time than comatose drooling in front of "Reality TV." However,
there are many simple searches that do the job just fine. You can
search
/var/log/auth.log
quickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:
$ grep -i "fail" /var/log/auth.log
...
Sep 13 16:26:34 server02 PAM_unix[27462]: authentication failure; (uid=0) -> root for
ssh service
Sep 13 16:26:36 server02 sshd[27462]: Failed password for root from 12.34.45.67 port
3210 ssh2
Sep 13 16:26:38 server02 PAM_unix[27464]: authentication failure; (uid=0) -> root for
ssh service
Sep 13 16:26:40 server02 sshd[27464]: Failed password for root from 12.34.45.67 port
3210 ssh2
...
Well well, someone
came a' knockin' on the SSH (secure shell) door. Knowledge is power--at this point, you could fine-tune your iptables to drop packets from
the originating IP, or you could do a little sleuthing to find the
source, or you could create a nice honeypot and amuse yourself trapping
the no-good person trying to get into your system. You can even count
the number of attempts:
$ grep "12.34.45.67" /var/log/auth.log | wc -l
8656
That's a rather persistent little twit, I'd say.
Next: Syslog, The Dumping Ground »
