LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-02-2008, 01:33 AM   #1
hattori.hanzo
Member
 
Registered: Aug 2006
Posts: 168

Rep: Reputation: 15
script to keep 'count' of failed login attempts


I need to keep a running tally/count of all failed attempts are logged to my /var/log/secure file.

A simple bash script/commands like 'cat /var/log/secure | grep Failed | wc -l' will show me the count. This will work fine for 1 week, until my logs are rotated.

I am looking for a more elegant way, maybe run a script via cron and keep an incrementing counter. Everytime the script runs, it checks the counter and increments accordingly even after the logs are rotated.

regards
 
Old 04-02-2008, 06:02 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Easy?
Read the count from a count-file.
Grep secure.
Add found new failures to original ones.
Write the count-file back with the updated value.


Or, even more simple:
Code:
grep Failed /var/log/secure >> failures.tmp
mv failures failures.tmp2
cat failures.* | sort -u > failures
wc -l failures



Cheers,
Tink
 
Old 04-02-2008, 08:39 PM   #3
hattori.hanzo
Member
 
Registered: Aug 2006
Posts: 168

Original Poster
Rep: Reputation: 15
Thanks. I tried it but kept getting doubled up counts.

I have decided to compromise and just grepping secure* on a daily basis. This way I also dont need to mess with logrotate.

Not elegant but it works until my scripting improves.

Code:
#!/bin/bash
#
# grep 'Failed' /var/log/secure* logs and count
grep Failed /var/log/secure* | wc -l > failed.txt
# mail results
cat failed.txt | mail -s "Failed count" peter.piper@mail.com
regards
 
Old 04-02-2008, 08:41 PM   #4
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,248
Blog Entries: 8

Rep: Reputation: 235Reputation: 235Reputation: 235
I'm not sure if this will work with locked files but please just try it

Code:
# (a) [secure] = [secure.latest]
ln /var/log/secure /var/log/secure.latest -f

# (b) [secure.new], [secure] = [secure.latest]
: > /var/log/secure.new
chown --reference=/var/log/secure /var/log/secure.new
chmod --reference=/var/log/secure /var/log/secure.new

# (c) [secure] = [secure.new], [secure.latest]
ln /var/log/secure.new /var/log/secure -f

# (d) [secure], [secure.latest]
unlink /var/log/secure.new

# (e) process [secure.latest]
[ -e /var/log/secure.count ] && count=$(</var/log/secure.count)
(( count += $(grep -c Failed /var/log/secure.latest) ))
echo "${count}" > /var/log/secure.count

# (f) delete [secure.latest]
rm /var/log/secure.latest
edit: btw it's only about the count right? tell me if you still want the logs

Last edited by konsolebox; 04-02-2008 at 08:46 PM.
 
Old 04-02-2008, 09:12 PM   #5
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by hattori.hanzo View Post
Thanks. I tried it but kept getting doubled up counts.
Are you saying sort -u isn't working? Btw, I had a little faux-pas
in my code block. It should have been a > instead of a >>, but sort -u
should take care of that anyway.


Cheers,
Tink
 
Old 04-02-2008, 10:46 PM   #6
hattori.hanzo
Member
 
Registered: Aug 2006
Posts: 168

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Tinkster View Post
Are you saying sort -u isn't working?
It works fine but I don't understand why we need 'sort -u' if I only need the count which 'wc -l' takes care of.

Code:
#!/bin/bash
#
grep Failed /var/log/secure >> ./tmp/failures.tmp
mv ./tmp/failures ./tmp/failures.tmp2
cat ./tmp/failures.* | sort -u >> ./tmp/failures
cat ./tmp/failures | wc -l > ./tmp/failures.txt
#
#mail results
cat ./tmp/failures.txt | mail -s "Failed count 2" peter.piper@mail.com
regards
 
Old 04-02-2008, 11:10 PM   #7
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Because you get duplicate lines otherwise if the log isn't rotated daily,
but you run the count every day.


Cheers,
Tink
 
Old 04-02-2008, 11:23 PM   #8
hattori.hanzo
Member
 
Registered: Aug 2006
Posts: 168

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Tinkster View Post
Because you get duplicate lines otherwise if the log isn't rotated daily,
but you run the count every day.
Thank you for the explanation.

Just did a double take: sort with the -u flag does a unique sort. Learn a new thing every day!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set delay between failed login attempts? handydan MEPIS 2 02-25-2007 12:08 AM
Question about failed ssh login attempts natv Linux - Security 3 02-11-2007 07:46 AM
Constant failed login attempts... seanferd Linux - Security 8 11-09-2006 09:42 AM
Timeout between failed login attempts wuicci Linux - Security 3 06-01-2006 05:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 04:22 PM


All times are GMT -5. The time now is 02:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration