PROPOSAL for periodic/security/800.loginfail

John Baldwin jhb at freebsd.org
Fri Mar 17 16:03:23 UTC 2006


On Friday 17 March 2006 09:17, Garance A Drosehn wrote:
> At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote:
> >>>  ++ Found 199 attempts to login to invalid (non-existing) userids:
> >>>  +     45 were ssh attempts from 127.0.191.36
> >>>  +     10 were ssh attempts from 127.0.87.251
> >>>  +     14 were ssh attempts from 127.0.225.154
> >>>  +      8 were ssh attempts from 127.0.102.26
> >>>  +      1 were ssh attempts from 127.0.102.141
> >>>  +      2 were ssh attempts from 127.0.28.31
> >>>  +     29 were ssh attempts from 127.0.175.156
> >>>  +      4 were ssh attempts from 127.0.192.3
> >
> >Sort these after number of attempts.

s/after/by/?

> I have to admit is the first awk script I've written in
> more than a decade, so I am quite rusty with it.  Last
> night I made a quick attempt to figure out how to sort
> values out of an associative array, but did not come
> across any sort function provided by nawk itself.  I like
> the idea of sorting, I just haven't figured out how to get
> nawk to do it yet...
> 
> If I can figure that out, I'll do that too.  Sort by
> number-of-attempts, or sort by IP-address of attacker?

number of attempts.  You can also use sort(1) with sort -nr for
sorting if you use a shell script that uses three different awk
passes and sorts the output of each pass and then outputs the full
info that way instead of trying to do it all in one big awk script.

-- 
John Baldwin <jhb at FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org


More information about the freebsd-current mailing list