[Linux] 找出非法試探性登錄失敗的IP

來源: http://netsecurity.51cto.com/art/201306/400871.htm

一.找出嘗試登入Linux失敗的IP
輸入指令:
cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $1"\t"$2}'
結果如下:
80 116.228.164.2
412 119.10.114.52
20 121.0.137.45
162 121.78.117.12
573 1.25.202.50
15 125.45.229.163
5546 175.113.148.3
230 175.236.217.37
78 210.13.73.29
144 221.176.53.74
366 222.122.129.115
439 222.186.59.21
47 60.174.198.14
118 91.232.208.38
第一個數字為：登錄失敗的次數

 

二.找出嘗試登入MySQL失敗的IP
1.先需要啟用mysql log紀錄，修改設定檔 /etc/my.cnf，在[mysqld]底下中加入:
log = /var/lib/mysql/mysql.log

2.重啟mysql服務:
service mysql restart

3.輸入指令:
cat /var/lib/mysql/mysql.log |grep 'denied' |awk '{print $(NF-3)}' |sed "s/^.*@//g" |sed "s/'//g" |sort |uniq -c |awk '{print $1"\t"$2}'
結果如下: