- 论坛徽章:
- 0
|
本帖最后由 old_farmers 于 2018-07-03 15:55 编辑
回复 8# wh7211
完全达到想要的结果,大神,膜拜一下。[root@RHEL sh]# tail -20 /var/log/secure
Jul 3 15:49:09 localhost sshd[4017]: PAM [error: <*unknown module path*>: cannot open shared object file: No such file or directory]
Jul 3 15:49:09 localhost sshd[4017]: PAM adding faulty module: <*unknown module path*>
Jul 3 15:49:10 localhost sshd[4021]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43 user=root
Jul 3 15:49:11 localhost sshd[4013]: PAM (sshd) illegal module type: UserPAM
Jul 3 15:49:11 localhost sshd[4013]: PAM pam_parse: expecting return value; [...yes]
Jul 3 15:49:11 localhost sshd[4013]: PAM (sshd) no module name supplied
Jul 3 15:49:11 localhost sshd[4013]: PAM unable to dlopen(<*unknown module path*>)
Jul 3 15:49:11 localhost sshd[4013]: PAM [error: <*unknown module path*>: cannot open shared object file: No such file or directory]
Jul 3 15:49:11 localhost sshd[4013]: PAM adding faulty module: <*unknown module path*>
Jul 3 15:49:13 localhost sshd[4022]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61 user=test
Jul 3 15:49:14 localhost sshd[4023]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43 user=root
Jul 3 15:49:17 localhost sshd[4025]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43 user=root
Jul 3 15:49:18 localhost sshd[4024]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61 user=test
Jul 3 15:49:20 localhost sshd[4026]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43 user=root
Jul 3 15:49:21 localhost sshd[4027]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61 user=test
Jul 3 15:49:24 localhost sshd[4028]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43 user=root
Jul 3 15:49:25 localhost sshd[4029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61 user=test
Jul 3 15:49:29 localhost sshd[4030]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43 user=root
Jul 3 15:49:30 localhost sshd[4031]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61 user=test
Jul 3 15:49:35 localhost sshd[4032]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61 user=test
[root@RHEL sh]# awk -vcudate=$(date -d "$(awk 'END{print $1,$2,$3}' /var/log/secure)" +%s) '/authentication failure;/{$1=/^Jan/?1:/^Feb/?2:/^Mar/?3:/^Apr/?4:/^May/?5:/^Jun/?6:/^Jul/?7:/^Aug/?8:/^Sep/?9:/^Oct/?10:/^Nov/?11:/^Dec/?12:0;gsub(":"," ",$3);a=mktime("2018 "$1" "$2" "$3"");if(a>=cudate-180){b[$NF" "$(NF-1)]++}}END{for(i in b){if(b>=3){print i,b}}}' /var/log/secure
user=test rhost=172.24.80.61 6
user=root rhost=172.24.80.43 6
[root@RHEL sh]#
|
|