7 comment

  1. I got this among valid addresses:

    1 ev/tty2
    1 y2

    Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.

    I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:

    grep “authentication failure” /var/log/messages | sed -n -e “s/.*rhost=([^ ]*).*/1/p” | sort | uniq -c

    or similar. A.

  2. sed -n -e “/sshd/s/.*Invalid user (.*) from ([^ ]*).*/2/p” /var/log/messages | sort | uniq -c

    gives interesting results too. Thanks for nice “sort + uniq -c” hint.

    Nice site, handy and useful articles… great. Ctrl+D.

  3. Is it good if there is no authentication failure message?

    hehehehe

    Just secured my server and it all stopped. I use to get a few per hour.

    nice!

    see google secure centos server.

Leave a Comment