Linux: Debian 11

Grep is a very useful tools to quickly look through logs and text file. In this tutorial by example I will go through some useful commands and options that you can use to quickly get the ip address and username that is use to brute force your ssh server. The file we are using for the tutorial is the auth.log file in the /var/log/auth.log. I have make a copy of the file for this tutorial.

  • To search for a list of usernames. This does not return a exact match so it will also show ruser.

grep “pattern” filename

  • To highlight the search pattern in color

grep –color “pattern” filename

  • To match an exact pattern. This will not return ruser.

grep -w “pattern” filename

  • To print number of lines matching the pattern

grep -c “pattern” filename

  • To print the exact matching pattern with line number

grep -wn “pattern” filename

  • To print the exact matching pattern, ignoring case.

grep -wi “pattern” filename

  • To print the exact matching pattern, ignoring case and showing line number

grep -win “pattern” filename

  • To print exact matching pattern, ignoring case, showing line number and 2 lines before.

grep -win -B 2 “pattern” filename

  • To print exact matching pattern, ignoring case, showing line number and 2 lines after.

grep -win -A 2 “pattern” filename

  • To print exact matching pattern, ignoring case, showing line number, 2 lines before and after.

grep -win -C 2 “pattern” filename

Now that we have gone through some of the basic of grep, we can use cat (concatenate) and grep to find all the failed authentication from the auth.log

  • To print all the failed authentication using cat and grep.

cat filename | grep -win “user” | grep -win “failed”

  • You can also see how many lines are there by using the -c option. You can see that there are 651 lines of failed authentication.

cat filename | grep -win “user” | grep -win “failed” -c

Some useful grep command options

OptionsDescriptions
-cCount the number of lines that match a pattern
-iIgnore case for matching
-nDisplay the match lines with line number
-wMatch whole word. Exact match
-xMatch whole lines.
-oPrint only the matched part of a matching line
-PPatterns are Perl regular expressions
-lDisplays list of a filename only
-vPrints all the lines that do not match the pattern
-mDisplay max number of selected line
-r Recursive for Directory browsing
-Bprint NUM of lines before
-Aprint NUM of lines after
-Cprint NUM lines of output context (Before and After)

You can add in the cut command to extract the information that you need.

  • To get only the ip address you can use the -d option define the delimiter (in this example we will be using space) and -f to capture the field 14 for ip address and field 12 for username

cat filename | grep -win “user” | grep -win “failed” | cut -d ” ” -f 14

Options. Descriptions
-dSpecify a delimiter that will be used instead of the default “TAB” delimiter.
-fSelect by specifying a field, a set of fields, or a range of fields. This is the most commonly used option.
-bSelect by specifying a byte, a set of bytes, or a range of bytes.
-cSelect by specifying a character, a set of characters, or a range of characters.
–complementComplement the selection. When using this option cut displays all bytes, characters, or fields except the selected.
–output-delimiterThe default behavior of cut is to use the input delimiter as the output delimiter. This option allows you to specify a different output delimiter string.

This is a quick tutorial on using grep and cut to get the list of failed authentication to your ssh server. There are other tools such as using sort, awk and sed to filter and manipulate logs to find the information you need to identified threats through the logs in your system.