From b635bb83baeb50114b3f5966a41fa67d83abb61b Mon Sep 17 00:00:00 2001
From: Siraaj Khandkar <siraaj@khandkar.net>
Date: Thu, 4 Mar 2021 06:55:37 -0500
Subject: [PATCH] Add ssh invalid reports by day and by user
---
home/lib/login_functions.sh | 68 +++++++++++++++++++++++++++++++++----
1 file changed, 62 insertions(+), 6 deletions(-)
diff --git a/home/lib/login_functions.sh b/home/lib/login_functions.sh
index 1f69061..426cbb2 100644
--- a/home/lib/login_functions.sh
+++ b/home/lib/login_functions.sh
@@ -678,19 +678,75 @@ status() {
# TODO: iptables summary
}
-ssh_invalid_attempts_from() {
+ssh_invalid_by_addr() {
awk '
/: Invalid user/ && $5 ~ /^sshd/ {
- u=$8
addr=$10 == "port" ? $9 : $10
max++
- curr[addr]++
+ by_addr[addr]++
}
END {
- for (addr in curr)
- if ((c = curr[addr]) > 1)
- print c, max, addr
+ for (addr in by_addr)
+ if ((c = by_addr[addr]) > 1)
+ printf "%d %d %s\n", c, max, addr
+ }
+ ' \
+ /var/log/auth.log \
+ /var/log/auth.log.1 \
+ | sort -n -k 1 \
+ | bar_gauge -v width="$(stty size | awk '{print $2}')" -v num=1 -v ch_right=' ' -v ch_left=' ' -v ch_blank=' ' \
+ | column -t
+}
+
+ssh_invalid_by_day() {
+ awk '
+ BEGIN {
+ m["Jan"] = "01"
+ m["Feb"] = "02"
+ m["Mar"] = "03"
+ m["Apr"] = "04"
+ m["May"] = "05"
+ m["Jun"] = "06"
+ m["Jul"] = "07"
+ m["Aug"] = "08"
+ m["Sep"] = "09"
+ m["Oct"] = "10"
+ m["Nov"] = "11"
+ m["Dec"] = "12"
+ }
+
+ /: Invalid user/ && $5 ~ /^sshd/ {
+ day = m[$1] "-" $2
+ max++
+ by_day[day]++
+ }
+
+ END {
+ for (day in by_day)
+ if ((c = by_day[day]) > 1)
+ printf "%d %d %s\n", c, max, day
+ }
+ ' \
+ /var/log/auth.log \
+ /var/log/auth.log.1 \
+ | sort -n -k 1 \
+ | bar_gauge -v width="$(stty size | awk '{print $2}')" -v num=1 -v ch_right=' ' -v ch_left=' ' -v ch_blank=' ' \
+ | column -t
+}
+
+ssh_invalid_by_user() {
+ awk '
+ /: Invalid user/ && $5 ~ /^sshd/ {
+ user=$8
+ max++
+ by_user[user]++
+ }
+
+ END {
+ for (user in by_user)
+ if ((c = by_user[user]) > 1)
+ printf "%d %d %s\n", c, max, user
}
' \
/var/log/auth.log \
--
2.20.1