Skip to content

Instantly share code, notes, and snippets.

@wjlafrance

wjlafrance/gist:cf169c5306d1c37d9429

Created April 30, 2014 21:06
Show Gist options
  • Save wjlafrance/cf169c5306d1c37d9429 to your computer and use it in GitHub Desktop.
Save wjlafrance/cf169c5306d1c37d9429 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
# List all SSH logs
{ gunzip -c /var/log/system.log.*.gz; cat /var/log/system.log; } | grep 'sshd'
# List most frequent invalid username attempts
{ gunzip -c /var/log/system.log.*.gz; cat /var/log/system.log; } | grep 'sshd\[[[:digit:]]*\]: Invalid' | awk '{print $8}' | sort | uniq -c | sort -r
91 bin
88 oracle
63 test
40 user
29 admin
12 ubuntu
11 jenkins
11 info
10 postgres
10 git
9 support
8 username
7 web
7 minecraft
7 adm
7 PlcmSpIp
6 toor
6 sandeep
6 helen
6 ghost
6 ftpuser
6 drive
6 cycle
6 bash
6 backup
6 apache
5 webmaster
5 usuario
5 teamspeak
5 r00t
5 linux
5 hadoop
4 xyz
4 xbox
4 webadmin
4 ubnt
4 trade
4 test1
4 sync
4 sharon
4 philip
4 paul
4 office
4 mp3
4 mike
4 leon
4 julie
4 james
4 george
4 fluffy
4 finance
4 fax
4 eric
4 db2inst1
4 danny
4 cheryl
4 brian
4 a
3 yang
3 word
3 webster
3 weblogic
3 wangyi
3 vnc
3 vincintz
3 vinci
3 vinay
3 vikas
3 ved
3 vaibhav
3 unix
3 union
3 tir
3 thomas
3 testing
3 sys_admin
3 suva
3 surendra
3 sunil
3 stephanie
3 ssingh
3 spencer
3 smith
3 sm0k3y
3 siva
3 silver
3 shekhar
3 shashi
3 sharp
3 saugata
3 sanjeev
3 sanjay
3 salman
3 rezvie
3 resin
3 ranjit
3 ranjeet
3 rakesh
3 raju
3 rajesh
3 pvm
3 press
3 prashant
3 pramod
3 play
3 pkjain
3 pisica
3 pi
3 phyto2
3 pgsql
3 paulj
3 one
3 norman
3 norm
3 nora
3 nishiyama
3 nina
3 netscreen
3 monit
3 mikael
3 mich
3 mhlee
3 melis
3 marlon
3 marleth
3 marivic
3 mani
3 majordomo
3 linda
3 lihan
3 library
3 kramer
3 kishori
3 kiran
3 kinder
3 kim
3 jukebox
3 jobs
3 jmartin
3 jet
3 jeff
3 janice
3 jack
3 its
3 iceuser
3 httpd
3 http
3 himanshu
3 hall
3 gregory
3 gaurav
3 ganga
3 ftpuser1
3 ftptest
3 fls
3 filip
3 fernie
3 elly
3 electrical
3 draytek
3 doctor
3 dn
3 dkauffman
3 divya
3 dfk
3 denise
3 dede
3 dc
3 db2admin
3 davis
3 dale
3 cvsadmin
3 crichard
3 common
3 cloud
3 cisco
3 chandru
3 cgi
3 center
3 burrelli
3 bunny
3 bull
3 boss
3 bong
3 bonec
3 bcampion
3 bayonne
3 banner
3 bank
3 atul
3 atir
3 ashok
3 ashish
3 arun
3 arnold
3 aris
3 amdsa
3 aman
3 alvin
3 alok
3 alexie
3 alberto
3 ajay
3 admin2
3 account
3 abilenki
3 D-Link
2 x
2 ts3
2 syslog
2 sys
2 syncro
2 slview
2 site
2 share
2 scott
2 roo
2 redmine
2 red
2 public
2 plesk
2 pcap
2 notice
2 news
2 nagios
2 martin
2 mail
2 maggie
2 kde
2 hmsftp
2 green
2 devdata
2 demo
2 dean
2 db2fenc1
2 david
2 data
2 dasusr1
2 cvs
2 cmsftp
2 centos
2 andrea
1 zznode
1 zxin10
1 yuzhakov
1 xwang
1 xVIRal
1 wxia
1 wilson
1 white
1 webuser
1 websa
1 vivian
1 visitor
1 visa
1 vicky
1 vero
1 user4
1 user3
1 user2
1 user1
1 upload
1 ucpss
1 tuhai
1 ts3user
1 trixbox1
1 training
1 toto
1 tor
1 tony
1 tomcat
1 tiptop
1 tester
1 tech
1 teacher
1 sysadmin
1 sybase
1 susan
1 suporte
1 super
1 sunny
1 stuart
1 steve
1 stephen
1 stephane
1 staff
1 ssss
1 src
1 soporte
1 sonia
1 smmsp
1 sky
1 simone
1 simon
1 simao
1 shutdown
1 shop
1 shirley
1 sherry
1 shane
1 service
1 server
1 send
1 sebastian
1 search
1 scotth
1 scale
1 santiago
1 sandra
1 sam
1 sales
1 sabrina
1 rts
1 rpm
1 rpcuser
1 rpc
1 ronny
1 ron
1 roger
1 robert
1 rob
1 rkumar
1 rita
1 richard
1 ricardo
1 rector
1 reception
1 raul
1 ramesh
1 rafael
1 raf
1 quark
1 puxiaolong
1 prueba
1 presse
1 praktikant
1 postmaster
1 portal
1 pop
1 pizza
1 pimg
1 phpl
1 peter
1 pcguest
1 paulo
1 patrol
1 patricia
1 paint
1 operator
1 oliver
1 nuno
1 nologin
1 nmrsu
1 nikki
1 nfsnobod
1 network
1 netdump
1 neal
1 nathalie
1 nan
1 mwazo
1 music
1 msr
1 morty
1 missy
1 mindy
1 mick
1 michle
1 michelle
1 messagebus
1 mensajes
1 melissa
1 melinda
1 megs
1 mathewlu
1 martha
1 marshall
1 marlene
1 maria
1 marcello
1 marcell
1 marcel
1 manager
1 mailnull
1 lwh
1 lukas
1 luis
1 liyiduo
1 liudongfeng
1 liron
1 lily
1 libuuid
1 last
1 landscape
1 lafrance
1 lab
1 koba
1 klog
1 kathryn
1 katerine
1 kari
1 karen
1 jyoung
1 justine
1 judy
1 jsmith
1 josh
1 jordan
1 johnny
1 john
1 joanna
1 jmcdaniel
1 jli
1 jimmy
1 jim
1 jiamei
1 jessey
1 jerry
1 jens
1 jennifer
1 jay
1 jason
1 jaqueline
1 jan
1 jacky
1 ivy
1 irfan
1 irene
1 ircd
1 irc
1 install
1 ines
1 hxhtftp
1 hxht
1 htet
1 horizon
1 home3
1 henry
1 helpdesk
1 gusr
1 gmatley
1 giovanni
1 gfep
1 gamme
1 games
1 fred
1 frank
1 folla
1 florin
1 fernando
1 feria
1 fedora
1 etho
1 emma
1 emily
1 emerson
1 ellen
1 doris
1 don
1 direccion
1 dinh
1 diego
1 diana
1 dgauthier
1 denny
1 default
1 deco
1 db2inst3
1 db2inst2
1 db2fenc3
1 db2fenc2
1 db2fenc
1 dave
1 dannie
1 daniela
1 daniel
1 dani
1 dana
1 cyrus
1 cvsuser
1 cron
1 cristiano
1 cristian
1 craig
1 cpter1
1 copy
1 copie
1 convert
1 content
1 connor
1 colton
1 cmsuser
1 claudia
1 class
1 christophe
1 christina
1 christian
1 chris
1 chiara
1 charlie
1 charles
1 chance
1 carol
1 carla
1 carina
1 calvin
1 caleb
1 builder
1 buddy
1 bsimon
1 bruce
1 brett
1 brad
1 boris
1 bonzo
1 bob
1 bill
1 biadmin
1 beaulaptic
1 backuppc
1 babyson
1 avis
1 augusta
1 atikka
1 astro
1 astrid
1 archives
1 apps
1 app
1 anthony
1 anita
1 angie
1 andy
1 andrew
1 andreas
1 amy
1 amanda
1 altibase
1 alice
1 alex
1 alan
1 administrador
1 aaa
1 NpC
1 Debian-exim
1 CVOTER
1 AdminSH
# List most frequent invalid username attempts by IP address
{ gunzip -c /var/log/system.log.*.gz; cat /var/log/system.log; } | grep 'sshd\[[[:digit:]]*\]: Invalid' | awk '{print $10}' | sort | uniq -c | sort -r
288 220.177.198.31
248 220.130.143.67
247 1.224.163.46
186 175.126.62.181
76 173.167.15.29
58 60.173.10.23
52 125.65.245.146
44 124.232.135.84
36 222.242.105.93
28 91.223.89.47
25 75.126.37.125
25 54.227.188.97
25 54.196.192.226
16 61.234.104.167
15 83.222.230.90
12 222.190.114.98
12 211.72.93.183
5 101.227.170.42
4 95.134.170.201
3 82.165.147.213
3 80.24.4.23
2 61.174.51.214
2 31.24.36.250
2 216.70.81.111
2 151.100.41.32
2 116.10.191.206
1 96.0.254.95
1 71.90.78.223
1 61.174.51.216
1 61.174.51.206
1 61.129.33.35
1 116.10.191.221
1 116.10.191.201
1 115.73.239.111
# List most frequent pre-auth Bye Bye's
{ gunzip -c /var/log/system.log.*.gz; cat /var/log/system.log; } | grep 'sshd\[[[:digit:]]*\]: Received disconnect from .*: 11: Bye Bye \[preauth\]' | awk '{print $9}' | sed s/\:$// | sort | uniq -c | sort -r
600 211.72.93.183
594 220.177.198.31
531 175.126.62.181
359 125.65.245.146
268 220.130.143.67
249 1.224.163.46
108 101.227.170.42
105 173.167.15.29
97 91.223.89.47
80 60.173.10.23
64 220.177.198.33
48 124.232.135.84
37 83.222.230.90
37 222.242.105.93
36 61.234.104.167
28 222.190.114.98
15 31.24.36.250
12 221.120.224.180
6 82.165.147.213
5 80.24.4.23
2 216.70.81.111
2 151.100.41.32
1 96.0.254.95
1 61.129.33.35
# List most frequent pre-auth disconnectors
{ gunzip -c /var/log/system.log.*.gz; cat /var/log/system.log; } | grep 'sshd\[[[:digit:]]*\]: Connection closed by .* \[preauth\]' | awk '{print $9}'| sort | uniq -c | sort -r
27 75.126.37.125
27 54.227.188.97
27 54.196.192.226
13 61.174.51.196
6 95.134.170.201
6 61.174.51.221
4 116.10.191.206
3 116.10.191.201
2 61.174.51.216
2 61.174.51.214
2 61.174.51.206
2 117.21.191.197
2 116.10.191.221
1 64.188.44.154
1 61.174.51.197
1 220.177.198.33
1 182.18.27.5
1 116.10.191.179
1 113.107.219.88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment