I've been running a SSH server on my Ubuntu box for several years. Lets see who has been trying to get in.
awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/auth.log* | sort | uniq -c | sort -rn | head -10
1153 root
43 test
23 linux
19 tester
19 guest
18 testing
17 administrator
15 roor
15 postfix
14 user
So has anyone but myself been able to log in...
awk 'gsub(".*sshd.*Accepted password for (valid user )?", "") {print $1}' /var/log/auth.log* | sort | uniq -c | sort -rn | head -2
17 Kevin_Brosnan
No, I'm the only user on the system using SSH. Good!
How often did the same IP try and access my computer?
awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/auth.log* | sort | uniq -c | sort -rn | head -10
834 - 121.242.167.256
432 - 121.242.65.256
381 - 85.128.10.256
225 - 12.172.224.256
216 - 190.81.104.256
134 - 119.192.138.256
68 - 94.103.155.256
59 - 62.181.56.256
31 - 116.28.64.256
25 - 85.17.154.256
The first and last scripts I found at the Securing SSH Fedora guide and modified to work with the Ubuntu log files. Some data presented here has been partially anonymised.
