1 #!/bin/bash
 2 #Encoding: UTF-8
 3  
 4 #============================================================================
 5 #
 6 #  Program: log_botnets.sh
 7 #  Created by: Marco Antonio Gomez   < marcogomez<at>aptscience.org >
 8 #
 9 #  Last modified: 2010/08/27 13:35
10 #
11 #============================================================================
12
13 DATA=$(date "+%Y%m%d")
14 HORA=$(date "+%H%M%S")
15 LOGTEMPDIR=~/log_ssh_$DATA$HORA
16 mkdir $LOGTEMPDIR
17 cd $LOGTEMPDIR
18 cp /var/log/auth.lo* .
19 gunzip auth*.gz
20 cat auth.lo* > full_auth_log
21 rm auth.lo*
22 cat full_auth_log | grep -Fi "Failed password" | grep -Fi "Invalid user" > tries_log
23 cat tries_log | awk '{print $11}' | sort > user_tries_log
24 cat user_tries_log | sort -u > uniq_user_tries_log
25 diff user_tries_log uniq_user_tries_log | grep -Fi \< | sed -e 's/<\ //g' > repeated_user_tries
26 for i in $(cat repeated_user_tries)
27 do
28    echo "$(echo "$(cat repeated_user_tries | grep $i | wc -l) + 1" | bc) - $i" >> counting_repeats  
29 done
30 cat counting_repeats | sort -u | sort -nr > counted_repeats && rm counting_repeats
31 cat uniq_user_tries_log | sed -e 's/^/1\ -\ /g' >> counted_repeats
32 mv counted_repeats ~/ssh_usertries.log
33 cd ~
34 rm -rf $LOGTEMPDIR
35