COP 2344 (Shell Scripting) Project #3
Process Secure Log Using Filter Commands


Due: by the start of class on the date shown on the syllabus


In this project you will learn how to extract useful information from some log file.  In this case we would like to know which User IDs had failed login attempts.  While a small number of failed attempts usually just means someone mistyped a login name or a password, a large number of failures shows intruder activity, especially when system account login names are used.

It would also be useful to see from which IP addresses these attempts were made.  While it is rare that this information leads back to the intruder, you may be able to use those IP addresses to configure a firewall and help prevent intrusions.

The log data is in the file /var/log/secure (at least for Linux systems), with one log entry per line.  All failed login entries contain the text “Failed password”, and some of those lines will contain the text “invalid user” when the attempt is made on a non-existing account.

This file is restricted to root access only on YborStudentA readable copy to use for this assignment can be found on YborStudent at ~wpollock/secure.log.


Create a “one-liner” (a single shell pipeline, or grouped command) that shows the user IDs and IP address from the 10 most attempted failed logins.  (So 10 attempts from “root at”, 8 attempts from “root at”, and 6 attempts from “mysql at” would each show up in the output.)  You must use the secure.log provided.

Hints And Additional Notes:

You will almost certainly need to use a complex pipeline, using the some of the utilities covered in class, including grep, sort, cut, uniq, sed, tr, and head.  Of course there are many different ways to extract the required information, but I suggest you stick to using these utilities, since (a) these are the ones we've covered in the course up to this point, and (b) you need the practice using these utilities.

Don't tackle the whole problem at once.  Work in small stages.  First examine the log file.  Then develop a command that shows only the log entries (lines) for failed logins.

Next, notice that the lines with illegal user IDs contain two more words than lines that show failed attempts on valid IDs.  It will make the remaining steps easier if you could process each line to contain only the user ID and the IP address.  Next you need to extract the two fields of interest from these lines (the user ID and the IP address).  There are several ways to do this but I suggest sed and cut.

Your on your own for the last part: sort the results by login name and IP address pairs, count how often each line occurs, sort by count, and finally show the top most attempted ten lines.

If you get your commands correct, the output should start with these lines:

8 test
6 root
6 admin

To be turned in:

A copy of your pipeline, and the results of running it against the log file supplied on YborStudent.

You can type or send as email to .  Please use the subject similar to “Shell Scripting Project Submission”, so I can tell which emails are submitted projects.

Send questions about the assignment to .  Please use a subject similar to “Shell Scripting Project Question” so I can tell which emails are questions about the assignment (and not submissions).

Please see your syllabus for more information about submitting projects.