This is to gather the IP addresses and the USERNAME and PASSWORDS that were used in the attempts to login to my machines.
#!/bin/bash # Run this every day at least in order to get all the entries. # Run this before the logrotate does its work on the log for the day/week/month... # Since I am only looking at the recent listings, only look at todays based on the date timestamp todays_date=
date +%F# Only read todays and loop each line in the string grep -i $todays_date /home/kris/kippo-0.5/log/kippo.log | while read -r line; do # Only read the lines that contain login auths and IPs. All in one line in this case. if [[
echo $line | grep -i "login attempt"]]; then # Cut out the different parts. inIP=
echo $line | grep -i "login attempt" | cut -d '[' -f 2 | cut -d ',' -f 3 | cut -d ']' -f 1inUSER=
echo $line | grep -i "login attempt" | cut -d '[' -f 3 | cut -d '/' -f 1inPASS=
echo $line | grep -i "login attempt" | cut -d '[' -f 3 | cut -d '/' -f 2 | cut -d ']' -f 1# Throw it all in together for outputing to a log of my own. output="$inIP|$inUSER|$inPASS" echo $output # IF we do not already have it in the log, append the info to it. if [ !
grep $output /root/kippo_ssh_auths.log]; then echo "$inIP|$inUSER|$inPASS" >> /root/kippo_ssh_auths.log fi fi done
699 total views