Probably all of you know already about the ”last” command and what it outputs.
For example here is what my says:
[aibo@lap ~]$ last | more giani pts/2 :0.0 Tue Oct 14 21:45 still logged in giani pts/6 :0.0 Tue Oct 14 21:06 still logged in abo pts/5 :pts/3:S.1 Tue Oct 14 21:06 still logged in abo pts/4 :pts/3:S.0 Tue Oct 14 21:05 still logged in abo pts/3 lap.x83.net Tue Oct 14 21:05 still logged in
It very important to choose strong passwords for all accounts, especially root, since it is the #1 attacked account.
Also an other nice tools is ”’lastb”’ which shows the last failed logins.
Top 5 most recently attacked accounts
[root@lap ~]# lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5
7 root
2 rancid
2 giany
1 btmp
1
Top 5 most attacked accounts
[root@lap ~]# awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5
144 root
30 test
18 admin
9 user
6 webmaster
Top 5 attacker IP addresses
[root@lap ~]# awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5
397 124.109.44.155
128 206.169.122.212
107 89.179.174.40
24 83.17.92.138
15 85.25.151.96
No comments:
Post a Comment