Linux: Debian 11
Grep is a very useful tools to quickly look through logs and text file. In this tutorial by example I will go through some useful commands and options that you can use to quickly get the ip address and username that is use to brute force your ssh server. The file we are using for the tutorial is the auth.log file in the /var/log/auth.log. I have make a copy of the file for this tutorial.
- To search for a list of usernames. This does not return a exact match so it will also show ruser.
grep “pattern” filename
- To highlight the search pattern in color
grep –color “pattern” filename
- To match an exact pattern. This will not return ruser.
grep -w “pattern” filename
- To print number of lines matching the pattern
grep -c “pattern” filename
- To print the exact matching pattern with line number
grep -wn “pattern” filename
- To print the exact matching pattern, ignoring case.
grep -wi “pattern” filename
- To print the exact matching pattern, ignoring case and showing line number
grep -win “pattern” filename
- To print exact matching pattern, ignoring case, showing line number and 2 lines before.
grep -win -B 2 “pattern” filename
- To print exact matching pattern, ignoring case, showing line number and 2 lines after.
grep -win -A 2 “pattern” filename
- To print exact matching pattern, ignoring case, showing line number, 2 lines before and after.
grep -win -C 2 “pattern” filename
Now that we have gone through some of the basic of grep, we can use cat (concatenate) and grep to find all the failed authentication from the auth.log
- To print all the failed authentication using cat and grep.
cat filename | grep -win “user” | grep -win “failed”
- You can also see how many lines are there by using the -c option. You can see that there are 651 lines of failed authentication.
cat filename | grep -win “user” | grep -win “failed” -c
Some useful grep command options
|-c||Count the number of lines that match a pattern|
|-i||Ignore case for matching|
|-n||Display the match lines with line number|
|-w||Match whole word. Exact match|
|-x||Match whole lines.|
|-o||Print only the matched part of a matching line|
|-P||Patterns are Perl regular expressions|
|-l||Displays list of a filename only|
|-v||Prints all the lines that do not match the pattern|
|-m||Display max number of selected line|
|-r||Recursive for Directory browsing|
|-B||print NUM of lines before|
|-A||print NUM of lines after|
|-C||print NUM lines of output context (Before and After)|
You can add in the cut command to extract the information that you need.
- To get only the ip address you can use the -d option define the delimiter (in this example we will be using space) and -f to capture the field 14 for ip address and field 12 for username
cat filename | grep -win “user” | grep -win “failed” | cut -d ” ” -f 14
|-d||Specify a delimiter that will be used instead of the default “TAB” delimiter.|
|-f||Select by specifying a field, a set of fields, or a range of fields. This is the most commonly used option.|
|-b||Select by specifying a byte, a set of bytes, or a range of bytes.|
|-c||Select by specifying a character, a set of characters, or a range of characters.|
|–complement||Complement the selection. When using this option |
|–output-delimiter||The default behavior of |
This is a quick tutorial on using grep and cut to get the list of failed authentication to your ssh server. There are other tools such as using sort, awk and sed to filter and manipulate logs to find the information you need to identified threats through the logs in your system.