SSH failed connections IP collection list

Having been running a linux machine and opened through my Firewall the port 22, caused several attempts noticed through this port.

I have written a little script that collect the IPs source which the connection using ssh has failed

See the script attached below:

 

 

#!/bin/bash

#####################################
# get the date in the right format;
#
#####################################
today=$(date +"%b %e")

#####################################
#
# set source file and destination file
#
#
source=/var/log/
dest=/home/nicolas/log_ssh/
whiteip=192.168.2.
whiteip1=192.168.1.

#####################################
# get the yesterday date
#
#
yesterday=$(date --date="-1 day" +"%b %d" | sed 's/0/ /g')

echo "Yesterday was "$yesterday


# finally get the output listed and options.
case "$1" in 
	-s)
	
	echo ""
	echo "-collecting data from yesterday"
	cat "$source"auth.log | grep "$yesterday" | grep 'sshd' | grep 'Failed' |  sed 's/^.*from //' |  sed 's/ .*//' > "$dest"extract.log 
	echo "-cleaning the results"
	sort "$dest"extract.log | uniq > "$dest"sorted.log

	echo "-checking for any whitelisted IPs"
	for ip in `cat "$dest"sorted.log`;do
	grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log
	grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_"$yesterday".log
	done
	echo "log file created to "$dest"ssh_failed_"$yesterday".log"



	if [[ ! -a "$dest"ssh_failed_"$yesterday".log ]]; then
	echo "no ssh_failed file generated. Which is good"
	
	else
	echo ""
	echo "list of IPs"
	cat "$dest"ssh_failed_"$yesterday".log
	fi


        # deleting remaining file output generated


        if [[ ! -a "$dest"extract.log ]]; then
        echo "no remaining files"
        else
        rm "$dest"extract.log
        fi



        if [[ ! -a "$dest"sorted.log ]]; then
        echo "no remaining files"
        else
        rm "$dest"sorted.log
        fi



        if [[ ! -a "$dest"white.log ]]; then
        echo "no remaining files"
        else
        rm "$dest"white.log
        fi
;;
	-h)

        echo ""
        echo "Collecting data from yesterday"
        cat "$source"auth.log | grep "$yesterday" | grep 'sshd' | grep 'Failed' |  sed 's/^.*from //' |  sed 's/ .*//' > "$dest"extract.log
        echo "cleaning the results"
        sort "$dest"extract.log | uniq > "$dest"sorted.log

        echo "checking for any whitelisted IPs"
        for ip in `cat "$dest"sorted.log`;do
        grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log
        grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_"$yesterday".log
        done


        if [[ ! -a "$dest"ssh_failed_"$yesterday".log ]]; then
        echo "no ssh_failed file generated. Which is good"
        else
        cat "$dest"ssh_failed_"$yesterday".log
        fi


        # deleting remaining file output generated

        if [[ ! -a "$dest"extract.log ]]; then
        echo "no remaining files"
        else
        rm "$dest"extract.log
        fi

        if [[ ! -a "$dest"sorted.log ]]; then
        echo "no remaining files"
        else
        rm "$dest"sorted.log
        fi

        if [[ ! -a "$dest"white.log ]]; then
        echo "no remaining files"
        else
        rm "$dest"white.log
        fi

	exit 1
;;

	-a)

	echo ""
	echo "-collecting data"	
	cat "$source"auth.log | grep 'sshd' | grep 'Failed' |  sed 's/^.*from //' |  sed 's/ .*//' > "$dest"extract.log 
	echo "-cleaning the results"
	sort "$dest"extract.log | uniq > "$dest"sorted.log

        echo "-checking for any whitelisted IPs"
	for ip in `cat "$dest"sorted.log`;do
	grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log
	grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_all_since_"$today".log
	done
	echo "-log file created to "$dest"ssh_failed_all_since_"$today".log"

	# deleting remaining file output generated


	if [[ ! -a "$dest"extract.log ]]; then
	echo "no remaining files"
	else
	rm "$dest"extract.log
	fi

	if [[ ! -a "$dest"sorted.log ]]; then
	echo "no remaining files"
	else
	rm "$dest"sorted.log
	fi

	if [[ ! -a "$dest"white.log ]]; then
	echo "no remaining files"
	else
	rm "$dest"white.log
	fi
;;

	*)
	echo ""
	echo "Usage:"
	echo "./ssh_list.sh -s : see the result in interactive mode"
	echo "./ssh_list.sh -h : silent mode"
	echo "./ssh_list.sh -a : no date limit always interactive mode"
	echo ""
	exit 1
esac
exit 0

 

 

The result is looking something like:

log_ssh# cat ssh_failed_Feb\ 27.log
108.163.159.72
119.145.254.34
123.164.66.216
60.10.203.18
93.114.134.220

You can eventually use the file generated being inserted to your host.denied from /etc/

Leave a Reply