Extracting Information From Logs - Part 2

September 28, 2017

In Part 1 of this series, we extracted the IP addresses of machines making unauthorized SSH connections from a /var/log/secure file. The result of that exercise was a file containing a list of IP addresses with each IP representing a failed login attempt. If you don’t want to generate that list you can down load it here.

The problem

The scenario that we will work on in these guides is a common question faced by system administrators. We will imagine that we have been asked to find out what countries unauthorized SSH login attempts are coming from and rank them according to the frequency of their attacks.

The goal of Part 2

In this part we will use the bash tools sort and uniq to sort, count and rank the IP addresses contained in IPs.txt. We will use these commands together utilizing the bash | to produce a new command that will take an unsorted input of IP addresses and rank them.

Step 1 – Sorting the IP addresses

The IP addresses contained in IPs.txt are recorded in the order that they were received by the SSH server and are consequently mixed up. The first command we will use is sort to fix this. sort will order lines of text alphabetically and lines of numbers numerically. When the contents of IP.txt is piped into sort all identical IP’s will end up grouped together. This is important for the next step. We will use the cat command to direct the contents of IPs.txt into sort:

cat IPs.txt | sort

Step 2 – Counting the IP’s

We will use the uniq command here to count the IP’s. The uniq command will remove any repeated lines leaving only a single instance of the line in their place. The sort command we used in Step 1 has grouped the IP’s together so when we run uniq only a single instance of each IP will remain.

However, we also want to rank the IP’s by the number of time they tried to log in, to do that we need to count the number of times they occurred in IPs.txt.

Fortunately, uniq takes the -c option which makes it print the number of times each line occurred at the beginning of the line containing the remaining single instance of the IP.

Adding uniq -c to the command we created in Step 1 looks like:

cat IPs.txt | sort | uniq -c

This produces the output:

    14 116.31.116.48
   270 193.201.224.218
   162 218.65.30.123
    18 218.65.30.53
     1 78.194.172.51
    70 91.197.232.11

The number printed before the IP is the number of times that the IP occurred in IPs.txt.

Step 3 – Ranking the IP’s

The final step is to sort the lines by the number of times IP occurred in the log file. This is done with the sort command again but this time using the -n option. The -n option will force sort to sort on the number at the beginning and therefore rank the IP by the number of login attempts they made.

Adding sort -n to our command gives us:

cat IPs.txt | sort | uniq -c | sort -n

Which produces the following output:

     1 78.194.172.51
    14 116.31.116.48
    18 218.65.30.53
    70 91.197.232.11
   162 218.65.30.123
   270 193.201.224.218

If you want the order reversed, i.e. from most to least add the -r option with sort.

Now, we will direct this output to a file for use in Part 3:

cat IPs.txt | sort | uniq -c | sort -n >sorted-IPs.txt

Conclusion

You can now take a file or indeed any input and rank the contents of that input by the number of times that any line appears. The chained commands

sort | uniq -c | sort -n

is an incredibly useful command line tool that you will use frequently as a systems administrator.

In Part 3, we will create a one line for loop to iterate over the ranked IP’s and run a whois lookup on each one to find out which country they originated from.