Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

Find out who's trying to break into your box

Discussion in 'Server Security' started by Rob, Nov 9, 2011.

  1. Rob

    Rob Guest

    The /var/log/btmp file shows you failed logins. you can use last to read it:

    last -f /var/log/btmp
    or simply just use lastb

    Then spice it up a little bit ...

    Show the top 10 IPs with failed logins (first column is failed # of tries, then 2nd column is the IP)
    lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10
    Show the top 10 usernames with failed logins
    lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
    2 people like this.
  2. gcawood

    gcawood Guest

    by default:
    `last` uses /var/log/wtmp (shows a list of users who logged in)
    `lastb` uses /var/log/btmp (shows bag login attempts)
    1 person likes this.
  3. MustangV10

    MustangV10 Guest

    That's quite interesting I think..CSF/WHM notifies me of failed login attempts already though.
  4. DaReaper

    DaReaper Guest

    Quite impressive terminal code there! Two months ago i noticed through my Kloxo's lxguard logs, i noticed around 200+ login failed attempts from different IP's. I could have never thought that a host not advertised a lot would attract so much intrusion.

    Glad there are stuff to detect these and block them out.
  5. scotty

    scotty Guest

    Yeah its important to check for bad logins, you may look and think, oh well at least they are not getting in, but it could easily be a DDoS. Linux logs are just awesome,
    1 person likes this.
  6. DaReaper

    DaReaper Guest

    I had a question in mind when you mentioned about DDoS. Do Dos deflators really works that well when it comes to such situations? There could be different kind of attacks. I've noticed that HTTP attacks from few IP's are much easier to stop than TCP.
  7. Darwin

    Darwin Guest

    It would depend on the size of attack - I have been on the other end of such a DDoS which was huge, the deflators did not hold firm. Anyhow since I have had no such problems. So they could be working.
  8. Luis Pena

    Luis Pena Guest

    wow this is great infomation, ive recently gotten into server security and these are the types of commands i was hoping to find!

    Also can these commands be written into a bash script?
  9. Redemptus

    Redemptus Guest

    You could make a bash script easily to do this for you which might be handy if you wanted to run them at specific intervals via CRON, or you could simply use a command alias which you can add to your .bashrc and they'll be available when you login:

    An example script follows:
    #  Show top 10 IPs with failed logins
    lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10
    And example aliases for your .bashrc; note the quoting is crazy but necessary to escape it properly. You could put this in a file at ~/.aliases and then source it from your ~/.bashrc with a simple line appended as: . ~/.aliases

    Check your ~/.bashrc as it may already have an alias file being sourced in which case you could just add these to that file instead.

    alias lastbtop10ips='lastb | awk '"'"'{print $3}'"'"' | sort | uniq -c | sort -rn | head -10'
    alias lastbtop10logins='lastb | awk '"'"'{print $1}'"'"' | sort | uniq -c | sort -rn | head -10'
    You could then run the alias by typing the name into the terminal, eg:
    [email protected] [~]# lastbtop10logins
      14208 root
        372 oracle
        158 bin
        96 admin
        94 ftpuser
        68 auto
        58 adrian
        53 postgres
        46 test
        40 cacti
    Hope that helps, Luis.
    3 people like this.
  10. Luis Pena

    Luis Pena Guest

    it has! thanks alot for sharing that with me, im going to do this now :)
  11. JDG

    JDG Guest

    DDoS doesn't necessarily involve login attempts. I would categorize this more as a brute-force attempt. This could still be a precursor to a DDoS attack.

    I could definitely see a DDoS attack being used to hide the attacker's objectives once they obtain your credentials. DDoS can be an effective method to generate noise in your logs.
  12. DDOS 是无法避免的 至少软件做不了这个工作 因为数据量太大 如果没硬件抵挡的话 只能祈求上帝别来DDOS 你的设备!

  13. 0.0
  14. mavankhang

    mavankhang Guest

    That's quite interesting I think..CSF/WHM notifies me of failed login attempts already though.

Share This Page