Having been running a linux machine and opened through my Firewall the port 22, caused several attempts noticed through this port.
I have written a little script that collect the IPs source which the connection using ssh has failed
See the script attached below:
#!/bin/bash
#####################################
# get the date in the right format;
#
#####################################
today=$(date +"%b %e")
#####################################
#
# set source file and destination file
#
#
source=/var/log/
dest=/home/nicolas/log_ssh/
whiteip=192.168.2.
whiteip1=192.168.1.
#####################################
# get the yesterday date
#
#
yesterday=$(date --date="-1 day" +"%b %d" | sed 's/0/ /g')
echo "Yesterday was "$yesterday
# finally get the output listed and options.
case "$1" in
-s)
echo ""
echo "-collecting data from yesterday"
cat "$source"auth.log | grep "$yesterday" | grep 'sshd' | grep 'Failed' | sed 's/^.*from //' | sed 's/ .*//' > "$dest"extract.log
echo "-cleaning the results"
sort "$dest"extract.log | uniq > "$dest"sorted.log
echo "-checking for any whitelisted IPs"
for ip in `cat "$dest"sorted.log`;do
grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log
grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_"$yesterday".log
done
echo "log file created to "$dest"ssh_failed_"$yesterday".log"
if [[ ! -a "$dest"ssh_failed_"$yesterday".log ]]; then
echo "no ssh_failed file generated. Which is good"
else
echo ""
echo "list of IPs"
cat "$dest"ssh_failed_"$yesterday".log
fi
# deleting remaining file output generated
if [[ ! -a "$dest"extract.log ]]; then
echo "no remaining files"
else
rm "$dest"extract.log
fi
if [[ ! -a "$dest"sorted.log ]]; then
echo "no remaining files"
else
rm "$dest"sorted.log
fi
if [[ ! -a "$dest"white.log ]]; then
echo "no remaining files"
else
rm "$dest"white.log
fi
;;
-h)
echo ""
echo "Collecting data from yesterday"
cat "$source"auth.log | grep "$yesterday" | grep 'sshd' | grep 'Failed' | sed 's/^.*from //' | sed 's/ .*//' > "$dest"extract.log
echo "cleaning the results"
sort "$dest"extract.log | uniq > "$dest"sorted.log
echo "checking for any whitelisted IPs"
for ip in `cat "$dest"sorted.log`;do
grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log
grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_"$yesterday".log
done
if [[ ! -a "$dest"ssh_failed_"$yesterday".log ]]; then
echo "no ssh_failed file generated. Which is good"
else
cat "$dest"ssh_failed_"$yesterday".log
fi
# deleting remaining file output generated
if [[ ! -a "$dest"extract.log ]]; then
echo "no remaining files"
else
rm "$dest"extract.log
fi
if [[ ! -a "$dest"sorted.log ]]; then
echo "no remaining files"
else
rm "$dest"sorted.log
fi
if [[ ! -a "$dest"white.log ]]; then
echo "no remaining files"
else
rm "$dest"white.log
fi
exit 1
;;
-a)
echo ""
echo "-collecting data"
cat "$source"auth.log | grep 'sshd' | grep 'Failed' | sed 's/^.*from //' | sed 's/ .*//' > "$dest"extract.log
echo "-cleaning the results"
sort "$dest"extract.log | uniq > "$dest"sorted.log
echo "-checking for any whitelisted IPs"
for ip in `cat "$dest"sorted.log`;do
grep -v "$whiteip" "$dest"sorted.log > "$dest"white.log
grep -v "$whiteip1" "$dest"white.log > "$dest"ssh_failed_all_since_"$today".log
done
echo "-log file created to "$dest"ssh_failed_all_since_"$today".log"
# deleting remaining file output generated
if [[ ! -a "$dest"extract.log ]]; then
echo "no remaining files"
else
rm "$dest"extract.log
fi
if [[ ! -a "$dest"sorted.log ]]; then
echo "no remaining files"
else
rm "$dest"sorted.log
fi
if [[ ! -a "$dest"white.log ]]; then
echo "no remaining files"
else
rm "$dest"white.log
fi
;;
*)
echo ""
echo "Usage:"
echo "./ssh_list.sh -s : see the result in interactive mode"
echo "./ssh_list.sh -h : silent mode"
echo "./ssh_list.sh -a : no date limit always interactive mode"
echo ""
exit 1
esac
exit 0
The result is looking something like:
log_ssh# cat ssh_failed_Feb\ 27.log 108.163.159.72 119.145.254.34 123.164.66.216 60.10.203.18 93.114.134.220
You can eventually use the file generated being inserted to your host.denied from /etc/