我正在检查日志文件以检索 IP 地址以及日志失败的次数。这是我的日志文件的样子:
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
现在,我还想检查日志被接受的次数。这个想法是为了了解暴力破解攻击的概况。
我该如何延长
sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c
还要检查接受的密码?就像是
sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c
但我不想在“已接受”和“失败”之间使用“或”,而是希望获得如下所示的计数结果:
123.53.163.22 3 2
(列为:IP 地址、失败总数、接受总数)
答案1
鉴于样本很少......
cat horbaje
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
我认为这可以满足您的要求:
awk '$6~/Failed/{a[$11][1]++}; $6~/Accepted/{a[$11][2]++} END{for(i in a){printf "%s\t%s\t%s\n",i,a[i][1],a[i][2]}}' horbaje
143.100.67.173 5 1