Re: grepping the access log for hacker evidence
Hi Paul, Logwatch might be of some help here. It's designed to report those types of things in a summary, but you can change the detail level to get more out of the report. Most settings will be installed in /etc/logwatch.conf and /etc/logwatch(.d) or similar. And it's just a set of perl scripts, so you can always dig in the code if needed. Cheers, sV On 15 April 2010 12:08, Paul Swafford wrote: > Hi there! > > basically what I'd like is to extract date / time / ip address from the log > where a user has made a failed attempt. > > This is what I have tried... but its a bit too much info .. > > grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" $2 > "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log > > > Any hints / tips ? > > .. thanks in advance > > Paul >
Re: grepping the access log for hacker evidence
On Thu, 2010-04-15 at 12:08 +1200, Paul Swafford wrote: > Hi there! > > basically what I'd like is to extract date / time / ip address from the > log where a user has made a failed attempt. > > This is what I have tried... but its a bit too much info .. > > grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" > $2 "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log > > > Any hints / tips ? > > .. thanks in advance > > Paul Which logs? I don't use secure, but it would be best to look for specific ( eg ssh, http ) hacks. Cheers, Steve -- Steve Holdoway http://www.greengecko.co.nz MSN: st...@greengecko.co.nz Skype: sholdowa smime.p7s Description: S/MIME cryptographic signature
Re: grepping the access log for hacker evidence
On Thu, Apr 15, 2010 at 12:08 PM, Paul Swafford wrote: > basically what I'd like is to extract date / time / ip address from the log > where a user has made a failed attempt. > > This is what I have tried... but its a bit too much info .. > > grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" $2 > "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log Install DenyHosts or Fail2Ban :-) How about you show us a sample log entry that you're trying to locate ... not everyone has the same logs ... Also, what info do you really need to extract, and why? So ... what are fields 0 1 2 12 14 15 and why do you want them? Why do you want them sorted into order? If you don't want the first 6 bytes (not characters?) why are you asking awk to print them, etc etc. Here's an Ubuntu auth.log entry :- Apr 12 10:49:36 encode sshd[4894]: Failed password for root from 210.17.251.159 port 54129 ssh2 # grep "Failed password for" /var/log/auth.log|awk '{print $11, $9}' 210.17.251.159 root 210.17.251.159 root ... -jim
grepping the access log for hacker evidence
Hi there! basically what I'd like is to extract date / time / ip address from the log where a user has made a failed attempt. This is what I have tried... but its a bit too much info .. grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" $2 "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log Any hints / tips ? .. thanks in advance Paul