just another day herding penguins... looking for failed login attempts and blocking rouge IPs


checking /var/log/messages looking for failed login attempts 
  (anyone who claims that linux systems are not actively being attacked are simply unaware of reality)
    (the reality is that linux systems straight out of the box with good passwords are safer than a locked down microsoft system!)

NOTE: the commands below could be optimized, but these record the steps used on different systems to get the results,
by using history recall and adding filters one can get the results. On any one system one could optimize the command string
and write a script and run it via cron.  In the past I've done this, parsed the message file for repeat failed attempts from 
various IP addresses and dropped them using iptables.  However, there are better solutions, as the iptables are not persistent
on a reboot.  For enterainment it's always fun to tail the message file.  Maintain good passwords on your Linux system and
pay attention to any possible vulnerabilities... if there are any, are there exploits?  if there are, is there an attack vector?

Just because there is a vulnerability does NOT mean it's a real world problem, as there must be an exploit, and THEN a means to use it.

The biggest risk is a weak password on a user account.  Of course do NOT allow root to ssh in directly, turn off telnet and ftp.
Do not enable services you don't use, remove games and other applications not used.  If you have important info on your server use
a firewall and only open those ports necessary for use, on a web server you'd only need port 80 coming in.  Keep your system simple
and you reduce your headaches.  I find it interesting that a few browsers are dropping support of proprietary "features" like flash.



So... I was looking for something else and decided to check my log files... net result is I dropped a few bad IPs from access.  If
I were really concerned I'd use a better solution than iptables to block rouge IPs... there are services that blacklist IPs and prevent
them from reaching you.  A Linux system is a prime target because of its capabilities.  Be careful, and if you can only run one service
on a server, use remote log hosts, a firewall and keep regular users off of any server.  If you are running convenient applications you
need to be more active in monitoring as these tools often are patched and have issues.  SIMPLE ALWAYS WORKS.  But people don't want SIMPLE.

------------------------------------------------
end result of log search on one particular day: 

    iptables -A INPUT -s 200.98.200.116 -j DROP

------------------------------------------------
--> iptables --list
------------------------------------------------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             multiport dports mdns
ACCEPT     tcp  --  anywhere             anywhere             multiport dports terabase
DROP       all  --  200-98-200-116.clouduol.com.br  anywhere            
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

------------------------------------------------
--> cat ips-failed-logins-on-a-particular-day.txt  | wc -l
474
------------------------------------------------
--> cat ips-failed-logins-on-a-particular-day.txt  | uniq -d | wc -l
84
------------------------------------------------
--> cat ips-failed-logins-on-a-particular-day.txt  | sort | uniq -d | wc -l
5
------------------------------------------------
--> cat ips-failed-logins-on-a-particular-day.txt  | sort | uniq -d 
logname=
rhost=116.31.116.46
rhost=221.229.162.204
rhost=58.218.199.165
rhost=61.177.172.69
------------------------------------------------

--> grep -E '(116.31.116.46|221.229.162.204|58.218.199.165|61.177.172.69)' /var/log/messages | wc -l
7847

------------------------------------------------
--> grep 116.31.116.46 /var/log/messages | wc -l
--> grep 116.31.116.46 /var/log/messages | sort | uniq -d
--> grep 116.31.116.46 /var/log/messages | sort 
--> cat /var/log/messages grep 116.31.116.46 
--> cat /var/log/messages grep 116.31.116.46 | grep rhost
--> cat /var/log/messages | grep 116.31.116.46 | grep rhost
--> cat /var/log/messages | grep 116.31.116.46 | grep rhost | wc -l
--> cat /var/log/messages | grep 116.31.116.46 | grep rhost | sort
--> cat /var/log/messages | grep 116.31.116.46 | grep rhost | sort | uniq -d
--> cat /var/log/messages | grep 116.31.116.46 | grep rhost | sort | uniq 
--> cat /var/log/messages | grep 116.31.116.46 | grep rhost | sort | uniq | wc -l
--> cat /var/log/messages | grep 116.31.116.46 
--> cat /var/log/messages | grep 116.31.116.46 | grep rhost | wc -l
331
------------------------------------------------
    iptables -A INPUT -s 116.31.116.46 -j DROP
    iptables -A INPUT -s 221.229.162.204 -j DROP
    iptables -A INPUT -s 58.218.199.165 -j DROP
    iptables -A INPUT -s 61.177.172.69 -j DROP
------------------------------------------------
iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             multiport dports mdns
ACCEPT     tcp  --  anywhere             anywhere             multiport dports terabase
DROP       all  --  200-98-200-116.clouduol.com.br  anywhere            
DROP       all  --  116.31.116.46        anywhere            
DROP       all  --  221.229.162.204      anywhere            
DROP       all  --  58.218.199.165       anywhere            
DROP       all  --  61.177.172.69        anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   


------------------------------------------------
--> cat failed-logins-on-a-particular-day.txt | wc -l
3085
--> cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | sort | uniq -d
logname=
rhost=116.31.116.46
rhost=200-98-200-116.clouduol.com.br
rhost=221.229.162.204
rhost=58.218.199.165
rhost=61.177.172.53
rhost=61.177.172.69
------------------------------------------------
--> cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' |  uniq -d | wc -l
476
------------------------------------------------
--> cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | sort | uniq -d | wc -l
8


 more commands - the process of parsing... YMMV - brute force methods, not refined or optimized

------------------------------------------------
  190  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}'
  191  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | uniq -d
  192  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | uniq 
  193  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | uniq -d
  194  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | uniq -d | uniq -d
  195  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | uniq 
  196  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | uniq -d
  197  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | uniq -d > ips-failed-logins-on-a-particular-day.txt
  198  vi ips-failed-logins-on-a-particular-day.txt 
  200  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | sort | uniq -d
  201  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' | sort | uniq -d | wc -l
  202  cat failed-logins-on-a-particular-day.txt  | awk '{print $2}' |  uniq -d | wc -l
  203  vi using-sort-uniq.txt
  204  cat failed-logins-on-a-particular-day.txt | wc -l
  205  vi using-sort-uniq.txt
  210  more ips-failed-logins-on-a-particular-day.txt 
  211  cat ips-failed-logins-on-a-particular-day.txt  | wc -l
  212  cat ips-failed-logins-on-a-particular-day.txt  | uniq -d | wc -l
  213  cat ips-failed-logins-on-a-particular-day.txt  | sort | uniq -d | wc -l
  214  cat ips-failed-logins-on-a-particular-day.txt  | sort | uniq -d 
  215  vi using-sort-uniq.txt
  216  history
------------------------------------------------
cat messages | awk '{print 2}' | grep -v authentication | grep -v not |  grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | \
tail -f messages
tail -n 50 messages
cat messages | awk '{print 2}' | grep -v authentication | grep -v not |  grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq
cat messages | awk '{print $2}' | grep -v authentication | grep -v not |  grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq
cat messages | more
more messages
cat messages | grep Invalid
cat messages | grep Invalid | wc -l
cat messages | grep Invalid | sort
ll /var/log/messages
tail -f /var/log/messages
cat messages | grep -v 10.10.10.9
cat messages | grep -v 10.10.10.9 | grep fail
cat messages | grep -v 10.10.10.9 | grep fail | grep root
cat messages | grep -v 10.10.10.9 | grep fail | grep root | grep -v PAM
cat messages | grep -v 10.10.10.9 | grep fail | grep root | grep -v PAM | awk '{print $1" "$10" "$11"}'
cat messages | grep -v 10.10.10.9 | grep fail | grep root | grep -v PAM | awk '{print $1" "$10" "$11}'
cat messages | grep -v 10.10.10.9 | grep fail | grep root | grep -v PAM
cat messages | grep -v 10.10.10.9 | grep fail | grep root | grep -v PAM | awk '{print $1" "$12" "$13}'
cat messages | grep -v 10.10.10.9 | grep fail | grep root | grep -v PAM | awk '{print $1" "$12" "$13}' > /home/luser/failed-logins.txt
cat messages | grep -v 10.10.10.9 | grep fail | grep root | grep -v PAM | awk '{print $1" "$12" "$13}' > /home/luser/failed-logins.txt
cat messages | grep -v 10.10.10.9 | grep fail | grep -v PAM | awk '{print $1" "$12" "$13}' 
cat messages | grep -v 10.10.10.9 | grep fail | grep -v root | grep -v PAM | awk '{print $1" "$12" "$13}' 
cat messages | grep -v 10.10.10.9 | grep fail | grep -v root | grep -v PAM | awk '{print $1" "$12" "$13}'  | more
cat messages | grep -v 10.10.10.9 | grep fail | grep -v root | grep -v PAM | awk '{print $1" "$12" "$13}'  | wc -l
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | awk '{print $1" "$12" "$13}'  | wc -l
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | awk '{print $1" "$12" "$13}'  
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | awk '{print $1" "$12" "$13}'  > /home/luser/failed-logins-clouduol.txt 
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | more
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | wc -l
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | grep 2017
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | grep 2017 | wc -l
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM 
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM | more
cat messages | grep -v 10.10.10.9 | grep fail | grep 200-98 | grep -v PAM > 200.98.200.116-clouduol.com.br.ABUSE.txt
grep rhost messages
cat messages | awk '{print $12}'
cat messages | awk '{print $12}' | more
cat messages | awk '{print $12}' | grep -v failure | grep -v Kbyte | grep -v ^$
cat messages | awk '{print $12}' | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you
cat messages | awk '{print $12}' | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | sort
cat messages | awk '{print $12}' | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | sort
cat messages | awk '{print $12}' | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | sort | more
cat messages | awk '{print $12}' | grep -v not | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | sort | more
cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | sort | more
cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v port | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | sort | more
cat messages | awk '{print $12}' | grep -v authentication | grep -v for | grep -v peer | grep -v not | grep -v port | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | sort | more
cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v port | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | more
cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v port | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | more
cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | more
cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq
cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq > /root/badips.txt
echo "cat messages | awk '{print $12}' | grep -v authentication | grep -v not | grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq > /root/badips.txt" 
cat /var/log/messages | wc -l
cat /var/log/messages | grep failure | grep from | more
cat /var/log/messages | grep failure | grep from | awk '{print $4" "$5" "$6" "$7" "$8}' | more
cat /var/log/messages | grep failure | grep from | awk '{print $8" "$9" "$10" "$11" "$12}' | more
2r16_2302.history7Mar16_2302.history:cat /var/log/messages | grep failure | grep from | grep -v repeat | awk '{print $8" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | grep failure | grep from | grep -v repeat | awk '{print $8" "$9" "$10" "$11" "$12}' | tee -a list-of-badips.txt 
cat /var/log/messages | grep failure |  grep -v repeat | awk '{print $8" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | grep from |   awk '{print $8" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | grep from | grep -v "error: PAM: Authentication" |   awk '{print $8" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | grep from |   awk '{print $8" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | grep [0-9*]   awk '{print $8" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | grep [0-9*]   | awk '{print $8" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | awk '{print $7" "$9" "$10" "$11" "$12}' | more
cat /var/log/messages | awk '{print $7}' | grep -v from | grep -v user | grep -v logname| more
cat /var/log/messages | awk '{print $7}' | grep -v failure | grep -v times | grep -v of | grep -v from | grep -v user | grep -v logname| more
cat /var/log/messages | awk '{print $7}' | grep -v failure | grep -v Client | grep -v times | grep -v of | grep -v from | grep -v user | grep -v logname| more
cat /var/log/messages | awk '{print $7}' | grep -v for | grep -v failure | grep -v Client | grep -v times | grep -v of | grep -v from | grep -v user | grep -v logname| more
cat /var/log/messages | awk '{print $7}' | grep -v for | grep -v failure | grep -v Client | grep -v times | grep -v of | grep -v from | grep -v user | grep -v logname| sort | more
cat /var/log/messages | awk '{print $7}' | grep -v for | grep -v failure | grep -v Client | grep -v times | grep -v of | grep -v from | grep -v user | grep -v logname| sort | uniq | more
cat /var/log/messages | awk '{print $7}' | more
cat /var/log/messages | awk '{print $7" "$12}' | more
cat /var/log/messages | awk '{print $7" "$10" "$12}' | more
cat /var/log/messages | awk '{print $7" "$10" "$12}' | grep -v failure | grep -v PAM  | grep -v of | grep -v for | more
cat /var/log/messages | awk '{print $7" "$10" "$12}' | grep -v failure | grep -v PAM  | grep -v of | grep -v for | sort | uniq
cat /var/log/messages | awk '{print $7" "$10" "$12}' | grep -v failure | grep -v PAM  | grep -v of | grep -v for | sort | uniq | more
cat /var/log/messages | awk '{print $7" "$10" "$12}' | grep -v Client | grep -v failure | grep -v PAM  | grep -v of | grep -v for | sort | uniq | more
cat /var/log/messages | grep [0-9*].[0-9*].[0-9*].[0.9*]
cat /var/log/messages | grep [0-9*].[0-9*].[0-9*].[0.9*] | awk '{print $3" "$5" "$6" "$7" "$8" "$9}'|more
cat /var/log/messages | grep [0-9*].[0-9*].[0-9*].[0.9*] | awk '{print $3" "$5" "$6" "$7" "$8" "$9}'|sort | uniq
cat /var/log/messages | grep -v OK | grep [0-9*].[0-9*].[0-9*].[0.9*] | awk '{print $3" "$5" "$6" "$7" "$8" "$9}'|sort | uniq
cat /var/log/messages | grep -v OK | grep [0-9*].[0-9*].[0-9*].[0.9*] | awk '{print $3" "$5" "$6" "$7" "$8" "$9}'|sort | uniq | more
cat /var/log/messages | grep "authentication failure" | sort | uniq | more
cat /var/log/messages | grep "authentication failure" | awk '{print $12" "$13}' | sort | uniq | more
cat /var/log/messages | grep "authentication failure" | wc -l
Simply Linux: Basics Linux Tackles Microsoft Using BASH on Windows 10
Practical Suggestions for Microsoft Windows
Full Size Jeep Buyer's Guide
12 hour Video Course by john:
The Art of Linux System Administration
published by O'Reilly Media
Study Guide for the LPIC-2 Certification Exams
search for:
on the internet, or:
JohnMeister.com-fotos
LinuxMeister-Linux
BibleTech- Bible overview

overview of mankind's history
Biblical history:
"Promises and Prophets"

Wagoneers
FULL SIZE JEEPS
JeepMeister
"Jeep is America's
only real sports car."
-Enzo Ferrari
MeisterTech
Diesels +
One Page Overview of Linux Commands

click for an image of the 5 essential Linux commands

An Intro to Linux
AMSOIL product guide,
or, AMSOIL web, or 1-800-956-5695,
use customer #283461
Amsoil dealer since 1983
purchase AMSOIL
at Midway Auto on SR9 in Snohomish,
or at Northland Diesel in Bellingham, WA

SJ - 1962-1991
XJ - 1984-2001
WJ - 1999-2004
KJ - 2002-2007
WK - 2005-2010
Find the recommended
AMSOIL synthetics
for your Jeep
CJ-10A - 1984-1986
Jeepsters
MJ - 1984-1992
Willys - 1946-1965
Other Jeeps (FC)