问题描述
我正在尝试对日志进行排序,以显示攻击服务器的前3个唯一IP地址。我对日志进行排序以查找失败的密码尝试。然后,我根据日期对该输出进行排序。然后,我将该输出通过管道传送到基于第11列的另一种排序,以仅针对每个唯一IP地址获得第一次攻击。我将输出传递到head函数以获得前三行,然后使用awk将其打印出来。我使用的命令是:grep 'Failed password' auth.log | sort -k1M -nk2 -nk3 | sort -k11,11 -u | head -3 | awk '{print $1" "$2" "$3" "$11}'
从此代码中提取了正确的IP地址,但是根据时间,它们的顺序不正确,如下所示:
我尝试暂时使用-nk3.1,3.2 -nk3.4,3.5 -nk3.7,3.8而不是-nk3,但返回的结果相同。 是否有解决此问题的想法?
以下是日志文件的片段供您参考:
Oct 11 10:12:24 myraptor sshd[29463]: Connection from 169.139.243.218 port 57273
Oct 11 10:12:25 myraptor sshd[29465]: Failed password for harvey from 169.139.243.218 port 57273 ssh2
Oct 11 10:12:25 myraptor sshd[29467]: Received disconnect from 169.139.243.218: Bye Bye
Oct 11 10:12:27 myraptor sshd[29469]: Connection from 169.139.243.218 port 57274
Oct 11 10:12:28 myraptor sshd[29471]: Failed password for harvey from 169.139.243.218 port 57274 ssh2
Oct 11 10:12:28 myraptor sshd[29473]: Failed password for harvey from 169.139.243.218 port 57274 ssh2
Oct 11 10:12:28 myraptor sshd[29475]: Received disconnect from 169.139.243.218: 11: Bye Bye
Oct 11 10:13:03 myraptor sshd[29477]: Connection from 56.13.188.38 port 55319
Oct 11 10:13:04 myraptor sshd[29479]: Failed password for harvey from 56.13.188.38 port 55319 ssh2
Oct 11 10:13:04 myraptor sshd[29481]: Received disconnect from 56.13.188.38: Bye Bye
Oct 11 10:13:15 myraptor sshd[29483]: Connection from 30.167.206.91 port 55320
Oct 11 10:13:16 myraptor sshd[29485]: Failed password for harvey from 30.167.206.91 port 55320 ssh2
Oct 11 10:13:16 myraptor sshd[29487]: Received disconnect from 30.167.206.91: Bye Bye
Oct 11 10:13:18 myraptor sshd[29489]: Connection from 30.167.206.91 port 55321
Oct 11 10:13:18 myraptor sshd[29491]: Failed password for harvey from 30.167.206.91 port 55321 ssh2
Oct 11 10:13:18 myraptor sshd[29493]: Received disconnect from 30.167.206.91: Bye Bye
预期输出:
Oct 11 10:12:25 169.139.243.218
Oct 11 10:13:04 56.13.188.38
Oct 11 10:13:16 30.167.206.91
解决方法
请尝试以下操作:
grep 'Failed password' auth.log | sort -k1M -nk2 -nk3 | awk '!seen[$11]++ {print $1,$2,$3,$11}' | head -n3
输出:
Oct 11 10:12:25 169.139.243.218
Oct 11 10:13:04 56.13.188.38
Oct 11 10:13:16 30.167.206.91
awk条件!seen[$11]++统一了第11个字段的外观,而没有更改时间顺序。
awk:
$ awk ' # all awk
$6=="Failed" { # when Failed met
if(!($11 in ips)) { # and the ip has not been seen before
ipc[++i]=$11 # increase stored ip counter
ips[$11] # and store ip for checking
if(i==3) # once we have 3 ips
exit # we exit ie. execute END
}
}
END {
for(j=1;j<=i;j++) # iterate index for ipc
print ipc[j] # and output
}' file
输出:
169.139.243.218
56.13.188.38
30.167.206.91
如果您仍在使用awk,则grep不可用。而且,如果您使用的是GNU awk,则在大多数情况下,您也可以跳过sort。
您可以使用awk逐行计算IP地址
grep 'Failed password' auth.log | sort -k1M -nk2 -nk3 | sort -k11,11 | awk '!d[$11]++' | head -3 | awk '{print $1" "$2" "$3" "$11}'