How to retrieve IP addresses of possible ssh attackers?

You could use something like this:

grep "Failed password for" /var/log/auth.log | grep -Po "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" \
| sort | uniq -c

It greps for the string Failed password for and extracts (-o) the ip address. It is sorted, and uniq counts the number of occurences.

The output would then look like this (with your example as input file):

  1 111.111.111.1
  3 111.11.111.111
  6 111.111.11.111

The last one in the output has tried 6 times.


It might be a bloated solution but i suggest you look at installing something like Fail2Ban

It is made for this kind of logging + adds the bonus of being able to add (temporary) rules in your firewall to block repeating offenders. Be sure to whitelist your own ip's though, i managed to lock myself out temporarily on a few occasions