bprashanth · February 26, 2025 11:32
diff --git a/scrape_ips_netstat.sh b/scrape_ips_netstat.sh
 #!/bin/bash

 echo -e "\n**Current SSH Connections:**\n"
 echo -e "IP Address\t\tAuth Method\t\tCountry"

 # Get all active SSH connection IPs
 netstat -napt | grep "ESTABLISHED.*ssh" | awk '{print $5}' | cut -d':' -f1 | sort -u | while read -r ip; do
    # Check if the IP used a password
    if sudo grep -E "Accepted password|Accepted publickey|Accepted keyboard-interactive|Accepted gssapi" /var/log/auth.log* | grep -q "$ip"; then
        auth_method=$(sudo grep -E "Accepted password|Accepted publickey|Accepted keyboard-interactive|Accepted gssapi" /var/log/auth.log | grep "$ip" | awk '{print $9}')
    else
        auth_method="Unknown"
    fi

    # Get geolocation of the IP
    country=$(whois "$ip" | grep -i "country" | awk '{print $2}' | head -n 1)
    if [[ -z "$country" ]]; then
        country="Unknown"
    fi

    # Print results
    echo -e "$ip\t\t$auth_method\t\t$country"
 done

 echo -e "\n Done"
	#!/bin/bash

	echo -e "\nCurrent SSH Connections:\n"
	echo -e "IP Address\t\tAuth Method\t\tCountry"

	# Get all active SSH connection IPs
	netstat -napt \| grep "ESTABLISHED.*ssh" \| awk '{print $5}' \| cut -d':' -f1 \| sort -u \| while read -r ip; do
	# Check if the IP used a password
	if sudo grep -E "Accepted password\|Accepted publickey\|Accepted keyboard-interactive\|Accepted gssapi" /var/log/auth.log* \| grep -q "$ip"; then
	auth_method=$(sudo grep -E "Accepted password\|Accepted publickey\|Accepted keyboard-interactive\|Accepted gssapi" /var/log/auth.log \| grep "$ip" \| awk '{print $9}')
	else
	auth_method="Unknown"
	fi

	# Get geolocation of the IP
	country=$(whois "$ip" \| grep -i "country" \| awk '{print $2}' \| head -n 1)
	if [[ -z "$country" ]]; then
	country="Unknown"
	fi

	# Print results
	echo -e "$ip\t\t$auth_method\t\t$country"
	done

	echo -e "\n Done"