How to retrieve IP addresses of possible ssh attackers?
You could use something like this:
grep "Failed password for" /var/log/auth.log | grep -Po "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" \
| sort | uniq -c
It greps for the string Failed password for
and extracts (-o
) the ip address. It is sorted, and uniq
counts the number of occurences.
The output would then look like this (with your example as input file):
1 111.111.111.1
3 111.11.111.111
6 111.111.11.111
The last one in the output has tried 6 times.
It might be a bloated solution but i suggest you look at installing something like Fail2Ban
It is made for this kind of logging + adds the bonus of being able to add (temporary) rules in your firewall to block repeating offenders. Be sure to whitelist your own ip's though, i managed to lock myself out temporarily on a few occasions