Oct 20 18:56:52 from root
Oct 20 19:23:57 from root
Hmm... those don't conform to my normal search for that section.
Now all failed does, is goes through and parses my auth / secure log for matched failed instances. And here is what was in the log file.
Oct 20 18:56:52 $SERVER_NAME sshd[11347]: Failed password for invalid user root b0#pdl!PP from $ATTACK_IP port 55778 ssh2
Oct 20 19:23:57 $SERVER_NAME sshd[31205]: Failed password for invalid user root c from $ATTACK_IP port 42388 ssh2
From the lines in the logs. It looks like they sent the password as part of the user name. that or my system was being slow and their's faster.
The shell script "failed"
#! /bin/sh
# checks for /var/log/auth.log for login failures.
# version 0.2
# chrisj@rattis.net
# prints failed invalid users
echo "Failed Invalid User Attempts"
grep "Failed" /var/log/auth.log | grep -i 'invalid' | awk '{print $1,$2,$3,$13,$11}' | sort -u
echo ' '
#prints failed vailid users, except for me.
echo "Failed Valid User Attempts"
grep "Failed" /var/log/auth.log | grep -vi 'invalid' | awk '{print $1,$2,$3,$11,$9}' | sort -u
echo ' '
