Share with:


Okay guys, the log if filling with

sshd[20117]: Invalid user pi from 142.93.118.186 port 50416
sshd[20117]: input_userauth_request: invalid user pi [preauth]
sshd[20117]: Received disconnect from 142.93.118.186 port 50416:11: Bye Bye [preauth]
sshd[20117]: Disconnected from 142.93.118.186 port 50416 [preauth]
sshd[20119]: Invalid user cubie from 5.189.227.161 port 39772
sshd[20119]: input_userauth_request: invalid user cubie [preauth]
sshd[20119]: Received disconnect from 5.189.227.161 port 39772:11: Bye Bye [preauth]
sshd[20119]: Disconnected from 5.189.227.161 port 39772 [preauth]
sshd[20121]: Invalid user guest from 208.68.37.169 port 42858

sshd[20121]: input_userauth_request: invalid user guest [preauth]
sshd[20121]: Received disconnect from 208.68.37.169 port 42858:11: Bye Bye [preauth]
sshd[20121]: Disconnected from 208.68.37.169 port 42858 [preauth]
sshd[20124]: Invalid user toclub from 217.37.108.89 port 51160
sshd[20124]: input_userauth_request: invalid user toclub [preauth]
sshd[20124]: Received disconnect from 217.37.108.89 port 51160:11: Bye Bye [preauth]
sshd[20124]: Disconnected from 217.37.108.89 port 51160 [preauth]
sshd[20131]: Invalid user sftptest from 212.29.234.250 port 57482
sshd[20131]: input_userauth_request: invalid user sftptest [preauth]
sshd[20131]: Received disconnect from 212.29.234.250 port 57482:11: Bye Bye [preauth]
sshd[20131]: Disconnected from 212.29.234.250 port 57482 [preauth]
sshd[20144]: Invalid user peer from 92.135.28.247 port 36372
sshd[20144]: input_userauth_request: invalid user peer [preauth]
sshd[20144]: Received disconnect from 92.135.28.247 port 36372:11: Bye Bye [preauth]
sshd[20144]: Disconnected from 92.135.28.247 port 36372 [preauth]
sshd[19857]: pam_unix(sshd:session): session closed for user admin
sshd[20148]: Invalid user ranjit from 141.85.224.117 port 49395
sshd[20148]: input_userauth_request: invalid user ranjit [preauth]
sshd[20148]: Received disconnect from 141.85.224.117 port 49395:11: Bye Bye [preauth]
sshd[20148]: Disconnected from 141.85.224.117 port 49395 [preauth]
sshd[20151]: Invalid user ranjit from 167.99.54.4 port 38536
sshd[20151]: input_userauth_request: invalid user ranjit [preauth]
sshd[20151]: Received disconnect from 167.99.54.4 port 38536:11: Bye Bye [preauth]
sshd[20151]: Disconnected from 167.99.54.4 port 38536 [preauth]

So, what IPs is eager to reach my shell?

$ fgrep Disconnect /var/log/auth.log | egrep [preauth] | cut -d ‘ ‘ -f 9 | sort

And how many of them?

~$ fgrep Disconnect /var/log/auth.log | egrep [preauth] | cut -d ‘ ‘ -f 9 | sort | uniq | wc -l
1781

Short story long:

fgrep, or grep -f allows you to search in a file, the syntax is fgrep {string} {file}

egrep is actually grep -e, it allows search for a stings using regular expressions – regexps

cut is printing just the selected field(s). What is field? A field is a string between two delimiters. Delimiter is ‘\t’ or TAB symbol by default, but you can change it using ‘-d’ option. And yes, the ‘-f’ tells the field to print out.

sort will take all the input strings and sort them in the ascendin (the default) or the descending (using ‘-r’ option) order

uniq will leave only uniqe stings in the output.

wc stands for ‘word count”. As i prefer lines to words, i use ‘-l’ option

And all the output is flowing thought the pipes, denoted as ‘|