Monitoring /var/log/auth.log for intrusion

# Monitoring /var/log/auth.log for intrusion
#
# REF: https://unix.stackexchange.com/questions/123029/history-of-ip-addresses-that-accesed-a-server-via-ssh
# REF: https://unix.stackexchange.com/questions/190907/how-to-retrieve-ip-addresses-of-possible-ssh-attackers
# feb 2018
#

# sample /var/log/auth.log
=====
Feb 22 14:06:03 zentyal sshd[28061]: Failed password for root from 115.238.245.4 port 35807 ssh2
Feb 22 14:06:03 zentyal sshd[28061]: Received disconnect from 115.238.245.4: 11: [preauth]
Feb 22 14:06:03 zentyal sshd[28061]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.238.245.4
user=root
Feb 22 14:06:09 zentyal sshd[28068]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.23
8.245.4 user=root
Feb 22 14:06:10 zentyal sshd[28068]: Failed password for root from 115.238.245.4 port 32916 ssh2
Feb 22 14:06:13 zentyal sshd[28068]: Failed password for root from 115.238.245.4 port 32916 ssh2
=====

# This will list IPs and the number of times each IP tried …

grep “Failed password for” /var/log/auth.log | grep -Po “[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+” | sort | uniq -c

1 43.229.205.182
1 47.223.140.95
2786 5.188.86.46
1 54.2.63.218
2 59.182.130.89
3 61.6.107.192
7 66.84.25.210
4 78.165.8.203

# this will grep rhost= which lists the hostname/ip of who tried.
# Then use geoiplookup from the geoip-bin package to get the Country.

zgrep sshd /var/log/auth.log* | grep rhost | sed -re ‘s/.*rhost=([^ ]+).*/\1/’ | sort -u

web1.status-telecom.ru
wsip-70-169-35-74.tu.ph.cox.net
wsip-70-182-157-6.br.br.cox.net
www2.daniweb.com
www2.hcchurch.org.tw
xplr-204-237-24-107.xplornet.com
y117067.ppp.asahi-net.or.jp

# another one liner to count all failed atempts and sort them in descending order (hi-lo)

awk ‘/Failed/ {x[$(NF-3)]++} END {for (i in x){printf “%3d %s\n”, x[i], i}}’ /var/log/auth.log | sort -nr

588 119.249.54.217
499 185.143.223.4
459 103.213.115.45
348 209.92.176.114
113 37.72.176.165
80 35.201.226.248

# Also, look at other packages like fail2ban and http://denyhosts.sourceforge.net/

END

Create strong passwords

At a recent #ubuntu-us-az meeting, this url was posted as an easy way to generate a password. I kinda liked option 4 which uses perl, available in most Linux distros. Should you not have it, apt-get install perl will install it.

#!/usr/bin/perl
#
# REF https://www.ostechnix.com/4-easy-ways-to-generate-a-strong-password-in-linux/
# save as pw.pl
#
my @alphanumeric = (‘a’..’z’, ‘A’..’Z’, 0..9);
my $randpassword = join ”, map $alphanumeric[rand @alphanumeric], 0..7;
print “$randpassword\n”

The code is simple, it creates an array with all the upper, lowercase, and numeric characters. You could add special characters into that array if you want. The [rand @array] generates a random number between 0 and the length of the array, the map $array maps the random number to the random-th element of the array, the join function will join those characters together and it will repeat this 8 times, 0..7

Executing perl pw.pl a few times will help the randomless of the generated password.

Measure your Internet Speed

Based on a recent Slashdot post, here’s a simple way to measure your Internet speed. The project is on GitHub at https://github.com/sivel/speedtest-cli, and to get the Python-based program, simply do this:

wget -O speedtest-cli https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
chmod +x speedtest-cli
Execute ./speedtest-cli –simple to get your results.
See ./speedtest-cli –help for details.

You can also try an HTML5 (no flash, no Java needed) Internet Speed test, http://speedof.me/

Hope this helps.