Find out who's trying to break into your box

R

Rob

Guest
The /var/log/btmp file shows you failed logins. you can use last to read it:

Code:
last -f /var/log/btmp

or simply just use lastb

Code:
lastb

Then spice it up a little bit ...

Show the top 10 IPs with failed logins (first column is failed # of tries, then 2nd column is the IP)
Code:
lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10

Show the top 10 usernames with failed logins
Code:
lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
 


by default:
`last` uses /var/log/wtmp (shows a list of users who logged in)
`lastb` uses /var/log/btmp (shows bag login attempts)
 
That's quite interesting I think..CSF/WHM notifies me of failed login attempts already though.
 
Quite impressive terminal code there! Two months ago i noticed through my Kloxo's lxguard logs, i noticed around 200+ login failed attempts from different IP's. I could have never thought that a host not advertised a lot would attract so much intrusion.

Glad there are stuff to detect these and block them out.
 
Yeah its important to check for bad logins, you may look and think, oh well at least they are not getting in, but it could easily be a DDoS. Linux logs are just awesome,
 
Yeah its important to check for bad logins, you may look and think, oh well at least they are not getting in, but it could easily be a DDoS. Linux logs are just awesome,

I had a question in mind when you mentioned about DDoS. Do Dos deflators really works that well when it comes to such situations? There could be different kind of attacks. I've noticed that HTTP attacks from few IP's are much easier to stop than TCP.
 
I had a question in mind when you mentioned about DDoS. Do Dos deflators really works that well when it comes to such situations? There could be different kind of attacks. I've noticed that HTTP attacks from few IP's are much easier to stop than TCP.

It would depend on the size of attack - I have been on the other end of such a DDoS which was huge, the deflators did not hold firm. Anyhow since I have had no such problems. So they could be working.
 
wow this is great infomation, ive recently gotten into server security and these are the types of commands i was hoping to find!

Also can these commands be written into a bash script?
 
Also can these commands be written into a bash script?

You could make a bash script easily to do this for you which might be handy if you wanted to run them at specific intervals via CRON, or you could simply use a command alias which you can add to your .bashrc and they'll be available when you login:

An example script follows:
Code:
#!/bin/sh
#  Show top 10 IPs with failed logins
lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10

And example aliases for your .bashrc; note the quoting is crazy but necessary to escape it properly. You could put this in a file at ~/.aliases and then source it from your ~/.bashrc with a simple line appended as: . ~/.aliases

Check your ~/.bashrc as it may already have an alias file being sourced in which case you could just add these to that file instead.

Code:
alias lastbtop10ips='lastb | awk '"'"'{print $3}'"'"' | sort | uniq -c | sort -rn | head -10'
alias lastbtop10logins='lastb | awk '"'"'{print $1}'"'"' | sort | uniq -c | sort -rn | head -10'

You could then run the alias by typing the name into the terminal, eg:
Code:
root@waaagh [~]# lastbtop10logins
  14208 root
    372 oracle
    158 bin
    96 admin
    94 ftpuser
    68 auto
    58 adrian
    53 postgres
    46 test
    40 cacti

Hope that helps, Luis.
 
You could make a bash script easily to do this for you which might be handy if you wanted to run them at specific intervals via CRON, or you could simply use a command alias which you can add to your .bashrc and they'll be available when you login:

An example script follows:
Code:
#!/bin/sh
#  Show top 10 IPs with failed logins
lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10

And example aliases for your .bashrc; note the quoting is crazy but necessary to escape it properly. You could put this in a file at ~/.aliases and then source it from your ~/.bashrc with a simple line appended as: . ~/.aliases

Check your ~/.bashrc as it may already have an alias file being sourced in which case you could just add these to that file instead.

Code:
alias lastbtop10ips='lastb | awk '"'"'{print $3}'"'"' | sort | uniq -c | sort -rn | head -10'
alias lastbtop10logins='lastb | awk '"'"'{print $1}'"'"' | sort | uniq -c | sort -rn | head -10'

You could then run the alias by typing the name into the terminal, eg:
Code:
root@waaagh [~]# lastbtop10logins
  14208 root
    372 oracle
    158 bin
    96 admin
    94 ftpuser
    68 auto
    58 adrian
    53 postgres
    46 test
    40 cacti

Hope that helps, Luis.


it has! thanks alot for sharing that with me, im going to do this now :)
 
Yeah its important to check for bad logins, you may look and think, oh well at least they are not getting in, but it could easily be a DDoS. Linux logs are just awesome,

DDoS doesn't necessarily involve login attempts. I would categorize this more as a brute-force attempt. This could still be a precursor to a DDoS attack.

I could definitely see a DDoS attack being used to hide the attacker's objectives once they obtain your credentials. DDoS can be an effective method to generate noise in your logs.
 
DDOS 是无法避免的 至少软件做不了这个工作 因为数据量太大 如果没硬件抵挡的话 只能祈求上帝别来DDOS 你的设备!
 
That's quite interesting I think..CSF/WHM notifies me of failed login attempts already though.
 

Staff online

Members online


Top