Okay guys, the log if filling with
sshd[20117]: Invalid user pi from 142.93.118.186 port 50416 sshd[20117]: input_userauth_request: invalid user pi [preauth] sshd[20117]: Received disconnect from 142.93.118.186 port 50416:11: Bye Bye [preauth] sshd[20117]: Disconnected from 142.93.118.186 port 50416 [preauth] sshd[20119]: Invalid user cubie from 5.189.227.161 port 39772 sshd[20119]: input_userauth_request: invalid user cubie [preauth] sshd[20119]: Received disconnect from 5.189.227.161 port 39772:11: Bye Bye [preauth] sshd[20119]: Disconnected from 5.189.227.161 port 39772 [preauth] sshd[20121]: Invalid user guest from 208.68.37.169 port 42858
sshd[20121]: input_userauth_request: invalid user guest [preauth] sshd[20121]: Received disconnect from 208.68.37.169 port 42858:11: Bye Bye [preauth] sshd[20121]: Disconnected from 208.68.37.169 port 42858 [preauth] sshd[20124]: Invalid user toclub from 217.37.108.89 port 51160 sshd[20124]: input_userauth_request: invalid user toclub [preauth] sshd[20124]: Received disconnect from 217.37.108.89 port 51160:11: Bye Bye [preauth] sshd[20124]: Disconnected from 217.37.108.89 port 51160 [preauth] sshd[20131]: Invalid user sftptest from 212.29.234.250 port 57482 sshd[20131]: input_userauth_request: invalid user sftptest [preauth] sshd[20131]: Received disconnect from 212.29.234.250 port 57482:11: Bye Bye [preauth] sshd[20131]: Disconnected from 212.29.234.250 port 57482 [preauth] sshd[20144]: Invalid user peer from 92.135.28.247 port 36372 sshd[20144]: input_userauth_request: invalid user peer [preauth] sshd[20144]: Received disconnect from 92.135.28.247 port 36372:11: Bye Bye [preauth] sshd[20144]: Disconnected from 92.135.28.247 port 36372 [preauth] sshd[19857]: pam_unix(sshd:session): session closed for user admin sshd[20148]: Invalid user ranjit from 141.85.224.117 port 49395 sshd[20148]: input_userauth_request: invalid user ranjit [preauth] sshd[20148]: Received disconnect from 141.85.224.117 port 49395:11: Bye Bye [preauth] sshd[20148]: Disconnected from 141.85.224.117 port 49395 [preauth] sshd[20151]: Invalid user ranjit from 167.99.54.4 port 38536 sshd[20151]: input_userauth_request: invalid user ranjit [preauth] sshd[20151]: Received disconnect from 167.99.54.4 port 38536:11: Bye Bye [preauth] sshd[20151]: Disconnected from 167.99.54.4 port 38536 [preauth]
So, what IPs is eager to reach my shell?
$ fgrep Disconnect /var/log/auth.log | egrep [preauth] | cut -d ‘ ‘ -f 9 | sort
And how many of them?
~$ fgrep Disconnect /var/log/auth.log | egrep [preauth] | cut -d ‘ ‘ -f 9 | sort | uniq | wc -l
1781
Short story long:
fgrep, or grep -f allows you to search in a file, the syntax is fgrep {string} {file}
egrep is actually grep -e, it allows search for a stings using regular expressions – regexps
cut is printing just the selected field(s). What is field? A field is a string between two delimiters. Delimiter is ‘\t’ or TAB symbol by default, but you can change it using ‘-d’ option. And yes, the ‘-f’ tells the field to print out.
sort will take all the input strings and sort them in the ascendin (the default) or the descending (using ‘-r’ option) order
uniq will leave only uniqe stings in the output.
wc stands for ‘word count”. As i prefer lines to words, i use ‘-l’ option
And all the output is flowing thought the pipes, denoted as ‘|‘