获取具有 SSH 攻击者唯一 IP 范围的前 20 名列表,并在末尾用 .0 对它们进行排序。可能的?
Getting a top 20 list with uniq IP-ranges of SSH attackers and sort them with .0 on the end. Possible?
希望我能解释清楚。我会尽力而为。由于有许多类似的问题和示例,其中 none 满足了我的要求。我正在尝试从我的服务器中删除这些所谓的 "attackers"。
我在找什么:
- 列表应该排序;假设前 20
- 列表应该是唯一的;具有唯一 IP 范围列表
- 该列表应仅显示结尾为 0 的 IP
例如,我的日志中有以下 IP:
122.155.223.48
116.110.220.28
116.110.220.166
116.196.94.108
118.70.113.1
116.110.220.94
116.110.220.34
118.70.113.2
125.19.37.226
现在我需要一个像这样显示它们的列表:
4x 116.110.220.0
2x 118.70.113.0
1x 116.196.94.0
1x 122.155.223.0
1x 125.19.37.0
如您所见,它将最后一个八位字节 (?) 合并为 0,并按命中数对它们进行排序。
这样我就可以在我的 3 个服务器上屏蔽整个范围。
要查找哪些日志和字符串?
我想扫描服务器上的所有 /var/log/secure 日志以获取上述列表,这将包括(示例):secure、secure-20191124、secure-20191201 等
要查找的字符串是:Failed password for
目前我使用的代码是:
grep "Failed password for" /var/log/secure | grep -Po "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort | uniq -c
这部分有效,但它不会对 20 个 IP 进行排序,不会将它们排序为最后一个八位字节为 .0(并合并这些 IP),而且它不会对它们进行排序(只是随机的) ).
总之有一个可行的解决方案吗?
在此先感谢您的帮助!
更新
Thibaud Ledent 提供的解决方案在上述情况下运行良好,但如果安全日志显示如下条目,则无法运行:
Dec 18 19:24:58 serverc1 sshd[14698]: refused connect from 212.69.19.250 (212.69.19.250)
Dec 18 19:25:03 serverc1 sshd[14699]: refused connect from 197.51.144.150 (197.51.144.150)
Dec 18 19:42:52 serverc1 sshd[14700]: refused connect from 113.225.182.207 (113.225.182.207)
Dec 18 19:42:52 serverc1 sshd[14701]: refused connect from 113.225.182.207 (113.225.182.207)
Dec 18 20:56:23 serverc1 sshd[14711]: refused connect from 41.176.150.253 (41.176.150.253)
Dec 18 20:59:28 serverc1 sshd[14714]: refused connect from 95.110.201.243 (95.110.201.243)
Dec 18 21:22:46 serverc1 sshd[14722]: refused connect from 107.189.10.44 (107.189.10.44)
Dec 19 00:04:15 serverc1 sshd[15134]: refused connect from 83.97.20.49 (83.97.20.49)
Dec 19 01:52:03 serverc1 sshd[15156]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:05 serverc1 sshd[15157]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:16 serverc1 sshd[15158]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:20 serverc1 sshd[15159]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:20 serverc1 sshd[15160]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:21 serverc1 sshd[15161]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:22 serverc1 sshd[15162]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:24 serverc1 sshd[15163]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:30 serverc1 sshd[15168]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:32 serverc1 sshd[15169]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 02:04:58 serverc1 sshd[15189]: refused connect from 195.24.207.252 (195.24.207.252)
Dec 19 02:22:38 serverc1 sshd[15192]: refused connect from 65.49.20.66 (65.49.20.66)
Dec 19 05:04:25 serverc1 sshd[15244]: refused connect from 45.227.255.48 (45.227.255.48)
Dec 19 05:28:09 serverc1 sshd[15247]: refused connect from 203.162.150.234 (203.162.150.234)
Dec 19 05:28:12 serverc1 sshd[15248]: refused connect from 203.162.150.234 (203.162.150.234)
Dec 19 05:31:48 serverc1 sshd[15249]: refused connect from 125.160.17.32 (125.160.17.32)
Dec 19 09:09:06 serverc1 sshd[15297]: refused connect from 139.162.122.110 (139.162.122.110)
Dec 19 09:09:12 serverc1 sshd[15298]: refused connect from 139.162.122.110 (139.162.122.110)
Dec 19 09:54:55 serverc1 sshd[15299]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:00 serverc1 sshd[15300]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:06 serverc1 sshd[15301]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:11 serverc1 sshd[15302]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:16 serverc1 sshd[15303]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 10:11:33 serverc1 sshd[15321]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 12:49:55 serverc1 sshd[15463]: refused connect from 66.70.188.152 (66.70.188.152)
Dec 19 12:57:29 serverc1 sshd[15466]: refused connect from 107.189.10.141 (107.189.10.141)
Dec 19 13:18:09 serverc1 sshd[15474]: refused connect from 111.59.92.70 (111.59.92.70)
Dec 19 14:34:03 serverc1 sshd[15484]: refused connect from 120.50.182.178 (120.50.182.178)
显然我将他的解决方案更改为:
grep " refused connect from" -r /var/log/secure | grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.0" | sort | uniq -c | sort -r | head -n 20
但它根本不显示结果?
可能是因为显示了两次或类似的IP?
grep "Failed password for" -r /var/log/secure | grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.0" | sort | uniq -c | sort -r | head -n 20
详情:
步骤 1. 在文件夹 /var/log/secure 中找到带有 "Failed password for" 的行:
grep "Failed password for" -r /var/log/secure
第2步.过滤以.0结尾的IP:
grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.0"
(或者如果您想要所有 IP:grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+")
步骤 3. 计算出现次数:
sort | uniq -c
第4步,以计数在前排序:
sort -r
第 5 步。显示前 20 个 IP:
head -n 20
希望我能解释清楚。我会尽力而为。由于有许多类似的问题和示例,其中 none 满足了我的要求。我正在尝试从我的服务器中删除这些所谓的 "attackers"。
我在找什么:
- 列表应该排序;假设前 20
- 列表应该是唯一的;具有唯一 IP 范围列表
- 该列表应仅显示结尾为 0 的 IP
例如,我的日志中有以下 IP:
122.155.223.48
116.110.220.28
116.110.220.166
116.196.94.108
118.70.113.1
116.110.220.94
116.110.220.34
118.70.113.2
125.19.37.226
现在我需要一个像这样显示它们的列表:
4x 116.110.220.0
2x 118.70.113.0
1x 116.196.94.0
1x 122.155.223.0
1x 125.19.37.0
如您所见,它将最后一个八位字节 (?) 合并为 0,并按命中数对它们进行排序。 这样我就可以在我的 3 个服务器上屏蔽整个范围。
要查找哪些日志和字符串?
我想扫描服务器上的所有 /var/log/secure 日志以获取上述列表,这将包括(示例):secure、secure-20191124、secure-20191201 等
要查找的字符串是:Failed password for
目前我使用的代码是:
grep "Failed password for" /var/log/secure | grep -Po "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort | uniq -c
这部分有效,但它不会对 20 个 IP 进行排序,不会将它们排序为最后一个八位字节为 .0(并合并这些 IP),而且它不会对它们进行排序(只是随机的) ).
总之有一个可行的解决方案吗?
在此先感谢您的帮助!
更新
Thibaud Ledent 提供的解决方案在上述情况下运行良好,但如果安全日志显示如下条目,则无法运行:
Dec 18 19:24:58 serverc1 sshd[14698]: refused connect from 212.69.19.250 (212.69.19.250)
Dec 18 19:25:03 serverc1 sshd[14699]: refused connect from 197.51.144.150 (197.51.144.150)
Dec 18 19:42:52 serverc1 sshd[14700]: refused connect from 113.225.182.207 (113.225.182.207)
Dec 18 19:42:52 serverc1 sshd[14701]: refused connect from 113.225.182.207 (113.225.182.207)
Dec 18 20:56:23 serverc1 sshd[14711]: refused connect from 41.176.150.253 (41.176.150.253)
Dec 18 20:59:28 serverc1 sshd[14714]: refused connect from 95.110.201.243 (95.110.201.243)
Dec 18 21:22:46 serverc1 sshd[14722]: refused connect from 107.189.10.44 (107.189.10.44)
Dec 19 00:04:15 serverc1 sshd[15134]: refused connect from 83.97.20.49 (83.97.20.49)
Dec 19 01:52:03 serverc1 sshd[15156]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:05 serverc1 sshd[15157]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:16 serverc1 sshd[15158]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:20 serverc1 sshd[15159]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:20 serverc1 sshd[15160]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:21 serverc1 sshd[15161]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:22 serverc1 sshd[15162]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:24 serverc1 sshd[15163]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:30 serverc1 sshd[15168]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:32 serverc1 sshd[15169]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 02:04:58 serverc1 sshd[15189]: refused connect from 195.24.207.252 (195.24.207.252)
Dec 19 02:22:38 serverc1 sshd[15192]: refused connect from 65.49.20.66 (65.49.20.66)
Dec 19 05:04:25 serverc1 sshd[15244]: refused connect from 45.227.255.48 (45.227.255.48)
Dec 19 05:28:09 serverc1 sshd[15247]: refused connect from 203.162.150.234 (203.162.150.234)
Dec 19 05:28:12 serverc1 sshd[15248]: refused connect from 203.162.150.234 (203.162.150.234)
Dec 19 05:31:48 serverc1 sshd[15249]: refused connect from 125.160.17.32 (125.160.17.32)
Dec 19 09:09:06 serverc1 sshd[15297]: refused connect from 139.162.122.110 (139.162.122.110)
Dec 19 09:09:12 serverc1 sshd[15298]: refused connect from 139.162.122.110 (139.162.122.110)
Dec 19 09:54:55 serverc1 sshd[15299]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:00 serverc1 sshd[15300]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:06 serverc1 sshd[15301]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:11 serverc1 sshd[15302]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:16 serverc1 sshd[15303]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 10:11:33 serverc1 sshd[15321]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 12:49:55 serverc1 sshd[15463]: refused connect from 66.70.188.152 (66.70.188.152)
Dec 19 12:57:29 serverc1 sshd[15466]: refused connect from 107.189.10.141 (107.189.10.141)
Dec 19 13:18:09 serverc1 sshd[15474]: refused connect from 111.59.92.70 (111.59.92.70)
Dec 19 14:34:03 serverc1 sshd[15484]: refused connect from 120.50.182.178 (120.50.182.178)
显然我将他的解决方案更改为:
grep " refused connect from" -r /var/log/secure | grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.0" | sort | uniq -c | sort -r | head -n 20
但它根本不显示结果?
可能是因为显示了两次或类似的IP?
grep "Failed password for" -r /var/log/secure | grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.0" | sort | uniq -c | sort -r | head -n 20
详情:
步骤 1. 在文件夹 /var/log/secure 中找到带有 "Failed password for" 的行:
grep "Failed password for" -r /var/log/secure
第2步.过滤以.0结尾的IP:
grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.0"
(或者如果您想要所有 IP:grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+")
步骤 3. 计算出现次数:
sort | uniq -c
第4步,以计数在前排序:
sort -r
第 5 步。显示前 20 个 IP:
head -n 20