Share with:

Okay guys, the log if filling with

sshd[20117]: Invalid user pi from port 50416
sshd[20117]: input_userauth_request: invalid user pi [preauth]
sshd[20117]: Received disconnect from port 50416:11: Bye Bye [preauth]
sshd[20117]: Disconnected from port 50416 [preauth]
sshd[20119]: Invalid user cubie from port 39772
sshd[20119]: input_userauth_request: invalid user cubie [preauth]
sshd[20119]: Received disconnect from port 39772:11: Bye Bye [preauth]
sshd[20119]: Disconnected from port 39772 [preauth]
sshd[20121]: Invalid user guest from port 42858

sshd[20121]: input_userauth_request: invalid user guest [preauth]
sshd[20121]: Received disconnect from port 42858:11: Bye Bye [preauth]
sshd[20121]: Disconnected from port 42858 [preauth]
sshd[20124]: Invalid user toclub from port 51160
sshd[20124]: input_userauth_request: invalid user toclub [preauth]
sshd[20124]: Received disconnect from port 51160:11: Bye Bye [preauth]
sshd[20124]: Disconnected from port 51160 [preauth]
sshd[20131]: Invalid user sftptest from port 57482
sshd[20131]: input_userauth_request: invalid user sftptest [preauth]
sshd[20131]: Received disconnect from port 57482:11: Bye Bye [preauth]
sshd[20131]: Disconnected from port 57482 [preauth]
sshd[20144]: Invalid user peer from port 36372
sshd[20144]: input_userauth_request: invalid user peer [preauth]
sshd[20144]: Received disconnect from port 36372:11: Bye Bye [preauth]
sshd[20144]: Disconnected from port 36372 [preauth]
sshd[19857]: pam_unix(sshd:session): session closed for user admin
sshd[20148]: Invalid user ranjit from port 49395
sshd[20148]: input_userauth_request: invalid user ranjit [preauth]
sshd[20148]: Received disconnect from port 49395:11: Bye Bye [preauth]
sshd[20148]: Disconnected from port 49395 [preauth]
sshd[20151]: Invalid user ranjit from port 38536
sshd[20151]: input_userauth_request: invalid user ranjit [preauth]
sshd[20151]: Received disconnect from port 38536:11: Bye Bye [preauth]
sshd[20151]: Disconnected from port 38536 [preauth]

So, what IPs is eager to reach my shell?

$ fgrep Disconnect /var/log/auth.log | egrep [preauth] | cut -d ‘ ‘ -f 9 | sort

And how many of them?

~$ fgrep Disconnect /var/log/auth.log | egrep [preauth] | cut -d ‘ ‘ -f 9 | sort | uniq | wc -l

Short story long:

fgrep, or grep -f allows you to search in a file, the syntax is fgrep {string} {file}

egrep is actually grep -e, it allows search for a stings using regular expressions – regexps

cut is printing just the selected field(s). What is field? A field is a string between two delimiters. Delimiter is ‘\t’ or TAB symbol by default, but you can change it using ‘-d’ option. And yes, the ‘-f’ tells the field to print out.

sort will take all the input strings and sort them in the ascendin (the default) or the descending (using ‘-r’ option) order

uniq will leave only uniqe stings in the output.

wc stands for ‘word count”. As i prefer lines to words, i use ‘-l’ option

And all the output is flowing thought the pipes, denoted as ‘|