From owner-freebsd-current@FreeBSD.ORG Fri Mar 17 16:03:23 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 326E816A423; Fri, 17 Mar 2006 16:03:23 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from server.baldwin.cx (66-23-211-162.clients.speedfactory.net [66.23.211.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64C0B43D45; Fri, 17 Mar 2006 16:03:22 +0000 (GMT) (envelope-from jhb@freebsd.org) Received: from localhost (john@localhost [127.0.0.1]) by server.baldwin.cx (8.13.4/8.13.4) with ESMTP id k2HG3Itq054609; Fri, 17 Mar 2006 11:03:20 -0500 (EST) (envelope-from jhb@freebsd.org) From: John Baldwin To: freebsd-current@freebsd.org Date: Fri, 17 Mar 2006 11:03:45 -0500 User-Agent: KMail/1.9.1 References: <99353.1142604012@critter.freebsd.dk> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200603171103.48693.jhb@freebsd.org> X-Virus-Scanned: ClamAV 0.87.1/1335/Wed Mar 15 23:58:43 2006 on server.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-3.5 required=4.2 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on server.baldwin.cx Cc: Poul-Henning Kamp , Garance A Drosehn Subject: Re: PROPOSAL for periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 16:03:23 -0000 On Friday 17 March 2006 09:17, Garance A Drosehn wrote: > At 3:00 PM +0100 3/17/06, Poul-Henning Kamp wrote: > >>> ++ Found 199 attempts to login to invalid (non-existing) userids: > >>> + 45 were ssh attempts from 127.0.191.36 > >>> + 10 were ssh attempts from 127.0.87.251 > >>> + 14 were ssh attempts from 127.0.225.154 > >>> + 8 were ssh attempts from 127.0.102.26 > >>> + 1 were ssh attempts from 127.0.102.141 > >>> + 2 were ssh attempts from 127.0.28.31 > >>> + 29 were ssh attempts from 127.0.175.156 > >>> + 4 were ssh attempts from 127.0.192.3 > > > >Sort these after number of attempts. s/after/by/? > I have to admit is the first awk script I've written in > more than a decade, so I am quite rusty with it. Last > night I made a quick attempt to figure out how to sort > values out of an associative array, but did not come > across any sort function provided by nawk itself. I like > the idea of sorting, I just haven't figured out how to get > nawk to do it yet... > > If I can figure that out, I'll do that too. Sort by > number-of-attempts, or sort by IP-address of attacker? number of attempts. You can also use sort(1) with sort -nr for sorting if you use a shell script that uses three different awk passes and sorts the output of each pass and then outputs the full info that way instead of trying to do it all in one big awk script. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" = http://www.FreeBSD.org