This is to gather the IP addresses and the USERNAME and PASSWORDS that were used in the attempts to login to my machines.


 # Run this every day at least in order to get all the entries.
 # Run this before the logrotate does its work on the log for the day/week/month...

# Since I am only looking at the recent listings, only look at todays based on the date timestamp
todays_date=date +%F
# Only read todays and loop each line in the string
grep -i $todays_date /home/kris/kippo-0.5/log/kippo.log | while read -r line; do

 # Only read the lines that contain login auths and IPs. All in one line in this case.
 if [[ echo $line | grep -i "login attempt" ]]; then
  # Cut out the different parts.
  inIP=echo $line | grep -i "login attempt" | cut -d '[' -f 2 | cut -d ',' -f 3 | cut -d ']' -f 1
  inUSER=echo $line | grep -i "login attempt" | cut -d '[' -f 3 | cut -d '/' -f 1
  inPASS=echo $line | grep -i "login attempt" | cut -d '[' -f 3 | cut -d '/' -f 2 | cut -d ']' -f 1

  # Throw it all in together for outputing to a log of my own.
  echo $output

  # IF we do not already have it in the log, append the info to it.
  if [ ! grep $output /root/kippo_ssh_auths.log ]; then
   echo "$inIP|$inUSER|$inPASS" >> /root/kippo_ssh_auths.log

 699 total views