Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Mar 2006 11:03:45 -0500
From:      John Baldwin <jhb@freebsd.org>
To:        freebsd-current@freebsd.org
Cc:        Poul-Henning Kamp <phk@phk.freebsd.dk>, Garance A Drosehn <gad@freebsd.org>
Subject:   Re: PROPOSAL for periodic/security/800.loginfail
Message-ID:  <200603171103.48693.jhb@freebsd.org>
In-Reply-To: <p06230922c04072e5792b@[128.113.24.47]>
References:  <99353.1142604012@critter.freebsd.dk> <p06230922c04072e5792b@[128.113.24.47]>

next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 17 March 2006 09:17, Garance A Drosehn wrote:
> At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote:
> >>>  ++ Found 199 attempts to login to invalid (non-existing) userids:
> >>>  +     45 were ssh attempts from 127.0.191.36
> >>>  +     10 were ssh attempts from 127.0.87.251
> >>>  +     14 were ssh attempts from 127.0.225.154
> >>>  +      8 were ssh attempts from 127.0.102.26
> >>>  +      1 were ssh attempts from 127.0.102.141
> >>>  +      2 were ssh attempts from 127.0.28.31
> >>>  +     29 were ssh attempts from 127.0.175.156
> >>>  +      4 were ssh attempts from 127.0.192.3
> >
> >Sort these after number of attempts.

s/after/by/?

> I have to admit is the first awk script I've written in
> more than a decade, so I am quite rusty with it.  Last
> night I made a quick attempt to figure out how to sort
> values out of an associative array, but did not come
> across any sort function provided by nawk itself.  I like
> the idea of sorting, I just haven't figured out how to get
> nawk to do it yet...
> 
> If I can figure that out, I'll do that too.  Sort by
> number-of-attempts, or sort by IP-address of attacker?

number of attempts.  You can also use sort(1) with sort -nr for
sorting if you use a shell script that uses three different awk
passes and sorts the output of each pass and then outputs the full
info that way instead of trying to do it all in one big awk script.

-- 
John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603171103.48693.jhb>