测试环境:ubuntu server 12.04
查看系统日志中登录失败的情况
grep "Failed password for root" /var/log/auth* | awk '{print $11}' | sort | uniq -c | sort -nr | more
脚本解释:
grep "Failed password for root" /var/log/auth* |
#取出以auth开头的文件中,所有root登录失败的记录
awk '{print $11}' |
#取出ip(127.0.0.1)
sort |
#排序
uniq -c |
#计算每条记录的出现次数
sort -nr |
#按出现次数排序
more
上面的命令得到类似下面的结果:
647 117.21.208.26
153 93.62.48.179
74 219.153.1.229
44 207.106.176.182
13 210.107.122.210
9 192.168.119.59
6 61.147.70.110
2 192.168.112.11
前面是统计的次数,后面是来源IP
使用:grep "Failed password for root" /var/log/auth.log|grep 61.147
查看 6 61.147.70.110这六条记录的详细
灵活运用grep