sahal · May 4, 2014 02:32
diff --git a/normal_user_ips.sh b/normal_user_ips.sh
 #!/bin/bash
 # ./normal_user_ips.sh
 # desc: display IPs of all normal users on your Debian system
 # by: Sahal Ansari http://sahal.info/

 accepted="Accepted"
 # to display Accepted or Failed IPs from auth.log uncomment:
 #accepted="Accepted|Failed"

 # directory where you keep auth.log
 cd /var/log/

 # http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
 # Reading /etc/passwd file
 while IFS=: read -r f1 f2 f3 f4 f5 f6 f7
 do
 #	echo "Username: ""$f1"
 #	echo "User ID (UID): ""$f3"

 # http://www.debian.org/doc/manuals/system-administrator/ch-sysadmin-users.html
 # UIDs 1000-29999 are normal user accounts.
 	if [ "$f3" -ge "1000" ] && [ "$f3" -le "29999" ]; then
 		users[i]="$f1"
 		((++i))
 	fi
 done < /etc/passwd

 zcat --force --quiet auth.log* |  grep -E "$(echo "${users[@]}" | tr '\ ' '|' )" | \
 grep -E "$accepted" | sed -e s/.*from\ // -e s/\ .*// | sort | uniq | tr '\n' '\ ' && echo
	#!/bin/bash
	# ./normal_user_ips.sh
	# desc: display IPs of all normal users on your Debian system
	# by: Sahal Ansari http://sahal.info/

	accepted="Accepted"
	# to display Accepted or Failed IPs from auth.log uncomment:
	#accepted="Accepted\|Failed"

	# directory where you keep auth.log
	cd /var/log/

	# http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
	# Reading /etc/passwd file
	while IFS=: read -r f1 f2 f3 f4 f5 f6 f7
	do
	# echo "Username: ""$f1"
	# echo "User ID (UID): ""$f3"

	# http://www.debian.org/doc/manuals/system-administrator/ch-sysadmin-users.html
	# UIDs 1000-29999 are normal user accounts.
	if [ "$f3" -ge "1000" ] && [ "$f3" -le "29999" ]; then
	users[i]="$f1"
	((++i))
	fi
	done < /etc/passwd

	zcat --force --quiet auth.log* \| grep -E "$(echo "${users[@]}" \| tr '\ ' '\|' )" \| \
	grep -E "$accepted" \| sed -e s/.from\ // -e s/\ .// \| sort \| uniq \| tr '\n' '\ ' && echo
No results found