{"id":941,"date":"2018-05-07T18:46:02","date_gmt":"2018-05-07T22:46:02","guid":{"rendered":"https:\/\/www.devolve.net\/blog\/?p=941"},"modified":"2018-07-13T10:55:55","modified_gmt":"2018-07-13T14:55:55","slug":"finding-the-most-persistent-pernicious-baddies-by-processing-log-files","status":"publish","type":"post","link":"https:\/\/www.devolve.local\/finding-the-most-persistent-pernicious-baddies-by-processing-log-files\/","title":{"rendered":"Finding the most persistent, pernicious baddies by processing log files"},"content":{"rendered":"<p><a href=\"https:\/\/sourceforge.net\/projects\/logwatch\/files\/\" rel=\"noopener\" target=\"_blank\">Logwatch<\/a> is a great utility for emailing me a summary of system logs over the last 24 hours. One of the things it shows are unsuccessful login attempts and their source IP addresses. But the default unsorted output is hard to analyze and take action on, since a single IP may appear many times in the output but at random locations.<\/p>\n<p>It looks kind of like this (I&#8217;ve obscured the full IP to protect the guilty).<\/p>\n<pre class=\"font-size:10 line-height:12 lang:sh decode:true \" >Disconnected from 37.59.78.xxx port 33008 [preauth] : 1 time(s)\r\nReceived disconnect from 192.169.155.xxx port 57594:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)\r\nReceived disconnect from 37.59.78.xxx port 40404:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)\r\nDisconnected from 92.154.79.xxx port 54904 [preauth] : 1 time(s)\r\nReceived disconnect from 188.166.228.xxx port 45146:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)\r\nDisconnected from 175.126.189.xxx port 44076 [preauth] : 1 time(s)\r\nReceived disconnect from 37.59.78.xxx port 37338:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)\r\nReceived disconnect from 104.236.76.xxx port 50644:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)\r\nReceived disconnect from 37.59.78.xxx port 39818:11: Normal Shutdown, Thank you for playing [preauth] : 1 time(s)\r\nDisconnected from 139.59.249.xxx port 55469 [preauth] : 1 time(s)<\/pre>\n<p>So, here we go. Create a shell script or alias with the following:<br \/>\n<code>pbpaste | ggrep -Po '\\b((?:\\d{1,3}\\.){3}\\d{1,3})\\s' | distribution<\/code><\/p>\n<p>Once you&#8217;ve got the sections from the logwatch email copied to the clipboard, run this to see which source IPs are the top offenders. Since I&#8217;m using <code>pbpaste<\/code> and <code>ggrep<\/code>, it should be clear I&#8217;m on a Mac. This works on Linux using <code>xsel --clipboard --output<\/code> and <code>grep<\/code>, respectively.<\/p>\n<p>And if you haven&#8217;t checked out <a href=\"\/2016\/04\/20\/distribution-histograms-in-the-terminal\/\">distribution<\/a>, you should. Super useful.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Logwatch is a great utility for emailing me a summary of system logs over the last 24 hours. One of the things it shows are unsuccessful login attempts and their source IP addresses. But the default unsorted output is hard to analyze and take action on, since a single IP may appear many times in [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[34,41,45,24],"_links":{"self":[{"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/posts\/941"}],"collection":[{"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/comments?post=941"}],"version-history":[{"count":10,"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/posts\/941\/revisions"}],"predecessor-version":[{"id":953,"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/posts\/941\/revisions\/953"}],"wp:attachment":[{"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/media?parent=941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/categories?post=941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devolve.local\/wp-json\/wp\/v2\/tags?post=941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}