2018/05/07

Finding the most persistent, pernicious baddies by processing log files

Logwatch is a great utility for emailing me a summary of system logs over the last 24 hours. One of the things it shows are unsuccessful login attempts and their source IP addresses. But the default unsorted output is hard to analyze and take action on, since a single IP may appear many times in the output but at random locations.

It looks kind of like this (I’ve obscured the full IP to protect the guilty).

Disconnected from 37.59.78.xxx port 33008 [preauth] : 1 time(s)
Received disconnect from 192.169.155.xxx port 57594:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)
Received disconnect from 37.59.78.xxx port 40404:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)
Disconnected from 92.154.79.xxx port 54904 [preauth] : 1 time(s)
Received disconnect from 188.166.228.xxx port 45146:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)
Disconnected from 175.126.189.xxx port 44076 [preauth] : 1 time(s)
Received disconnect from 37.59.78.xxx port 37338:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)
Received disconnect from 104.236.76.xxx port 50644:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)
Received disconnect from 37.59.78.xxx port 39818:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)
Disconnected from 139.59.249.xxx port 55469 [preauth] : 1 time(s)

Disconnected from 37.59.78.xxx port 33008 [preauth] : 1 time(s)

Received disconnect from 192.169.155.xxx port 57594:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)

Received disconnect from 37.59.78.xxx port 40404:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)

Disconnected from 92.154.79.xxx port 54904 [preauth] : 1 time(s)

Received disconnect from 188.166.228.xxx port 45146:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)

Disconnected from 175.126.189.xxx port 44076 [preauth] : 1 time(s)

Received disconnect from 37.59.78.xxx port 37338:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)

Received disconnect from 104.236.76.xxx port 50644:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)

Received disconnect from 37.59.78.xxx port 39818:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)

Disconnected from 139.59.249.xxx port 55469 [preauth] : 1 time(s)

So, here we go. Create a shell script or alias with the following:
pbpaste | ggrep -Po '\b((?:\d{1,3}\.){3}\d{1,3})\s' | distribution

Once you’ve got the sections from the logwatch email copied to the clipboard, run this to see which source IPs are the top offenders. Since I’m using pbpaste and ggrep, it should be clear I’m on a Mac. This works on Linux using xsel --clipboard --output and grep, respectively.

And if you haven’t checked out distribution, you should. Super useful.

Finding the most persistent, pernicious baddies by processing log files is original content from devolve.

Tags:command line, data wrangling, rando, security

About The Author

Charlie Herron

Denizen of Portland, Maine; tech jack; lover / hater / whatever; philosophical dabbler. http://twitter.com/realgeek