/home/wpollock1/public_html/restricted/ShellScripting/secure-log.sh

# Model solution to Shell Script project 3.1
# Written 2/2007 by Wayne Pollock
# Last updated 3/2014

# This script:
#   finds failed login lines in the security log (ignoring the one "Failed none:"
#     entry, which means that user or their group was denied by PAM or SSHD),
#   removes the extra words "invalid user", so the lines are the same
#   removes the leading stuff from each line
#   cuts the login name and the IP address for each
#   sorts on the failed login name
#   counts each
#   sorts by number of attempts
#   shows the top 10

grep "Failed password" ${1:-$HOME/secure.log} \
 | sed 's/invalid user *//' \
 | cut -d: -f4- | cut -d' ' -f5,7 | sort | uniq -c | sort -nr | head

echo '============ Alt solution ==========='

# Note the shell line-continuation that occurs inside the regular
# expression, which means you must use double quotes not single
# quotes, and the the spaces at the start of the next line are
# significant.  This solution uses a more complex reg exp; I like the
# previous solution better.

grep "Failed password" ${1:-$HOME/secure.log} | cut -d: -f4- \
   | sed "s/ Failed password for \(invalid user \)\?\([[:alnum:]]*\)\
 from \([0-9.]*\).*/\2 \3/" \
   | sort | uniq -c | sort -nr | head

echo '============ Alt solution: include "Failed none" lines  ==========='

grep -E "Failed (password|none)" ${1:-$HOME/secure.log} \
 | sed 's/invalid user *//' \
 | cut -d: -f4- | cut -d' ' -f5,7 | sort | uniq -c | sort -nr | head