Who’s trying to break in to your Linux box?

Fun with pipes! Just a quick Bash snippet for getting a good look at who’s attempting to log in to your Linux or other standard GNU system:

#shell> lastb -w | sort | awk '{print $1, "\t", $3}' | uniq | less

Here’s a quick summary of what’s going on here:

lastb reads and echoes the contents of the failed login database, generally located at /var/log/btmp. The -w flag just ensures it doesn’t ellipse or otherwise cut-off the username field.

sort very simply sorts the output of lastb alphabetically.

This awk snippet prints the 1st and 3rd columns of the sorted lastb output, which are username and source address respectively, separating them with a tab for ease of reading.

uniq gets rid of any duplicate entries, but only if they are on adjacent lines. This is another reason we used sort earlier.

Finally, less is just a decent file reader. Feel free to replace with output redirection to a file.

And the output. IP addresses randomised to defend the privacy of my attackers:

123456   89.101.45.51
123      89.101.45.51
1        63.200.120.14
2014     63.200.120.14
2015     63.200.120.14
2        63.200.120.14
aaa      63.200.120.14
aaron    63.200.120.14
aa       63.200.120.14
abc123   17.252.186.40
abc123   42.22.165.211
abc123   mail2.example.website.ru

…plus your typical number of root, admin, test, oracle and mysql attempts. Can’t quite explain the xxxxxxxxxxxxxxxxxx attempt though.

This entry was posted in Linux. Bookmark the permalink.

7 Responses to Who’s trying to break in to your Linux box?

  1. Mark says:

    I feel sad and left out. No one has tried to pwn my box. D:

  2. Ben McTee says:

    Take a look into Fail2Ban, if you haven’t already. I implemented it on December 14th:

    cat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort -k 1,1M -k 2n | uniq -c
    9306 Dec 7
    9714 Dec 8
    9288 Dec 9
    7392 Dec 10
    4848 Dec 11
    1089 Dec 12
    4103 Dec 13
    3656 Dec 14
    73 Dec 15
    29 Dec 16
    78 Dec 17
    62 Dec 18
    31 Dec 19
    25 Dec 20

    A great tutorial is here: https://help.ubuntu.com/community/Fail2ban

    A couple of tweaks: 1) lower your maxretry count to 1 or 2, unless you’re terrible at typing your own password remotely. 2) Lengthen the lockout timer. It seems that some of the guys attempting remote access will retry after the default fail2ban time of 10 min.

    • Aaron Hastings says:

      Absolutely, Fail2ban is an excellent program and I have it running on all of my machines. Fail2ban tweaks are always appreciated – cheers!

Leave a Reply to Ben McTee Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.