Re: grepping the access log for hacker evidence
Hi Paul,
Logwatch might be of some help here. It's designed to report those
types of things in a summary, but you can change the detail level to
get more out of the report. Most settings will be installed in
/etc/logwatch.conf and /etc/logwatch(.d) or similar. And it's just a
set of perl scripts, so you can always dig in the code if needed.
Cheers,
sV
On 15 April 2010 12:08, Paul Swafford wrote:
> Hi there!
>
> basically what I'd like is to extract date / time / ip address from the log
> where a user has made a failed attempt.
>
> This is what I have tried... but its a bit too much info ..
>
> grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" $2
> "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log
>
>
> Any hints / tips ?
>
> .. thanks in advance
>
> Paul
>
Re: grepping the access log for hacker evidence
On Thu, 2010-04-15 at 12:08 +1200, Paul Swafford wrote:
> Hi there!
>
> basically what I'd like is to extract date / time / ip address from the
> log where a user has made a failed attempt.
>
> This is what I have tried... but its a bit too much info ..
>
> grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-"
> $2 "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log
>
>
> Any hints / tips ?
>
> .. thanks in advance
>
> Paul
Which logs? I don't use secure, but it would be best to look for
specific ( eg ssh, http ) hacks.
Cheers,
Steve
--
Steve Holdoway
http://www.greengecko.co.nz
MSN: st...@greengecko.co.nz
Skype: sholdowa
smime.p7s
Description: S/MIME cryptographic signature
Re: grepping the access log for hacker evidence
On Thu, Apr 15, 2010 at 12:08 PM, Paul Swafford
wrote:
> basically what I'd like is to extract date / time / ip address from the log
> where a user has made a failed attempt.
>
> This is what I have tried... but its a bit too much info ..
>
> grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" $2
> "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log
Install DenyHosts or Fail2Ban :-)
How about you show us a sample log entry that you're trying to locate
... not everyone has the same logs ...
Also, what info do you really need to extract, and why?
So ... what are fields 0 1 2 12 14 15 and why do you want them? Why do
you want them sorted into order? If you don't want the first 6 bytes
(not characters?) why are you asking awk to print them, etc etc.
Here's an Ubuntu auth.log entry :-
Apr 12 10:49:36 encode sshd[4894]: Failed password for root from
210.17.251.159 port 54129 ssh2
# grep "Failed password for" /var/log/auth.log|awk '{print $11, $9}'
210.17.251.159 root
210.17.251.159 root
...
-jim
grepping the access log for hacker evidence
Hi there!
basically what I'd like is to extract date / time / ip address from the
log where a user has made a failed attempt.
This is what I have tried... but its a bit too much info ..
grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-"
$2 "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log
Any hints / tips ?
.. thanks in advance
Paul
