Having been running a linux machine and opened through my Firewall the port 22, caused several attempts noticed through this port.
I have written a little script that collect the IPs source which the connection using ssh has failed
See the script attached below:
#!/bin/bash ##################################### # get the date in the right format; # ##################################### today=$(date +"%b %e") ##################################### # # set source file and destination file # # source=/var/log/ dest=/home/nicolas/log_ssh/ whiteip=192.168.2. whiteip1=192.168.1. ##################################### # get the yesterday date # # yesterday=$(date --date="-1 day" +"%b %d" | sed 's/0/ /g') echo "Yesterday was "$yesterday # finally get the output listed and options. case "$1" in -s) echo "" echo "-collecting data from yesterday" cat "$source"auth.log | grep "$yesterday" | grep 'sshd' | grep 'Failed' | sed 's/^.*from //' | sed 's/ .*//' > "$dest"extract.log echo "-cleaning the results" sort "$dest"extract.log | uniq > "$dest"sorted.log echo "-checking for any whitelisted IPs" for ip in `cat "$dest"sorted.log`;do grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_"$yesterday".log done echo "log file created to "$dest"ssh_failed_"$yesterday".log" if [[ ! -a "$dest"ssh_failed_"$yesterday".log ]]; then echo "no ssh_failed file generated. Which is good" else echo "" echo "list of IPs" cat "$dest"ssh_failed_"$yesterday".log fi # deleting remaining file output generated if [[ ! -a "$dest"extract.log ]]; then echo "no remaining files" else rm "$dest"extract.log fi if [[ ! -a "$dest"sorted.log ]]; then echo "no remaining files" else rm "$dest"sorted.log fi if [[ ! -a "$dest"white.log ]]; then echo "no remaining files" else rm "$dest"white.log fi ;; -h) echo "" echo "Collecting data from yesterday" cat "$source"auth.log | grep "$yesterday" | grep 'sshd' | grep 'Failed' | sed 's/^.*from //' | sed 's/ .*//' > "$dest"extract.log echo "cleaning the results" sort "$dest"extract.log | uniq > "$dest"sorted.log echo "checking for any whitelisted IPs" for ip in `cat "$dest"sorted.log`;do grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_"$yesterday".log done if [[ ! -a "$dest"ssh_failed_"$yesterday".log ]]; then echo "no ssh_failed file generated. Which is good" else cat "$dest"ssh_failed_"$yesterday".log fi # deleting remaining file output generated if [[ ! -a "$dest"extract.log ]]; then echo "no remaining files" else rm "$dest"extract.log fi if [[ ! -a "$dest"sorted.log ]]; then echo "no remaining files" else rm "$dest"sorted.log fi if [[ ! -a "$dest"white.log ]]; then echo "no remaining files" else rm "$dest"white.log fi exit 1 ;; -a) echo "" echo "-collecting data" cat "$source"auth.log | grep 'sshd' | grep 'Failed' | sed 's/^.*from //' | sed 's/ .*//' > "$dest"extract.log echo "-cleaning the results" sort "$dest"extract.log | uniq > "$dest"sorted.log echo "-checking for any whitelisted IPs" for ip in `cat "$dest"sorted.log`;do grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_all_since_"$today".log done echo "-log file created to "$dest"ssh_failed_all_since_"$today".log" # deleting remaining file output generated if [[ ! -a "$dest"extract.log ]]; then echo "no remaining files" else rm "$dest"extract.log fi if [[ ! -a "$dest"sorted.log ]]; then echo "no remaining files" else rm "$dest"sorted.log fi if [[ ! -a "$dest"white.log ]]; then echo "no remaining files" else rm "$dest"white.log fi ;; *) echo "" echo "Usage:" echo "./ssh_list.sh -s : see the result in interactive mode" echo "./ssh_list.sh -h : silent mode" echo "./ssh_list.sh -a : no date limit always interactive mode" echo "" exit 1 esac exit 0
The result is looking something like:
log_ssh# cat ssh_failed_Feb\ 27.log 108.163.159.72 119.145.254.34 123.164.66.216 60.10.203.18 93.114.134.220
You can eventually use the file generated being inserted to your host.denied from /etc/