In this project you will learn how to extract useful information from some log file. In this case we would like to know which User IDs had failed login attempts. While a small number of failed attempts usually just means someone mistyped a login name or a password, a large number of failures shows intruder activity, especially when system account login names are used.
It would also be useful to see from which IP addresses these attempts were made. While it is rare that this information leads back to the intruder, you may be able to use those IP addresses to configure a firewall and help prevent intrusions.
The log data is in the file /var/log/secure
(at least for Linux systems), with one log entry per line.
All failed login entries contain the text
“Failed password”, and some of those lines
will contain the text “invalid user” when
the attempt is made on a non-existing account.
This file is restricted to root access only
on YborStudent.
A readable copy to use for this
assignment can be found on YborStudent at
~wpollock/secure.log.
Create a “one-liner” (a single shell pipeline,
or grouped command) that shows the user IDs
and IP address
from the 10 most attempted failed logins.
(So 10 attempts from “root at
1.1.1.1”, 8 attempts from
“root at 2.2.2.2”,
and 6 attempts from
“mysql at 2.2.2.2”
would each show up in the output.)
You must use the secure.log provided.
You will almost certainly need to use a complex pipeline,
using the some of the utilities covered in class, including
grep, sort,
cut, uniq, sed,
tr, and head.
Of course there are many different ways to extract the
required information, but I suggest you stick to using these
utilities, since (a) these are the ones we've covered in the
course up to this point, and (b) you need the practice using
these utilities.
Don't tackle the whole problem at once. Work in small stages. First examine the log file. Then develop a command that shows only the log entries (lines) for failed logins.
Next, notice that the lines with illegal user IDs
contain two more words than lines that show failed attempts
on valid IDs.
It will make the remaining steps easier if you could process
each line to contain only the user ID
and the IP address.
Next you need to extract the two fields of interest from these lines
(the user ID and the IP address).
There are several ways to do this but I suggest sed
and cut.
Your on your own for the last part: sort the results by login name and IP address pairs, count how often each line occurs, sort by count, and finally show the top most attempted ten lines.
If you get your commands correct, the output should start with these lines:
8 test 59.125.204.97 6 root 125.243.249.194 6 admin 125.243.249.194
A copy of your pipeline, and the results of running it against the log file supplied on YborStudent.
You can type or send as email to . Please use the subject similar to “Shell Scripting Project Submission”, so I can tell which emails are submitted projects.
Send questions about the assignment to . Please use a subject similar to “Shell Scripting Project Question” so I can tell which emails are questions about the assignment (and not submissions).
Please see your syllabus for more information about submitting projects.