Hacking per IP + username

After the hacking attempts, I have decided to create a small script to count the number of attempts per IP address.

$ grep "Invalid user" /var/log/auth.log | awk '{print $10}' | sort -rn | uniq -c | sort -nr | head

The output looked something like the following:

1071 185.153.196.230
 376 194.61.24.177
 344 51.77.56.9
 188 185.217.1.246
 165 161.97.98.210
 152 211.22.161.170
 146 193.176.86.166
 126 118.27.19.93
 119 106.51.80.198
 118 31.173.237.222

The key here is the use of the Invalid user phrase in grep(1).

The following shows the most popular usernames tried and can be very useful:

$ grep "Invalid user" /var/log/auth.log | awk '{print $8}' | sort -r | uniq -c | sort -nr | head -30

The output was the following:

955 admin
410 test
381 user
345 ubuntu
288 postgres
205 oracle
163 git
152 ftpuser
132 deploy
122 support
122 nagios
122 guest
 98 ts3
 95 111111
 93 ftp
 90 testuser
 85 administrator
 70 minecraft
 68 ubnt
 67 user1
 66 tomcat
 64 pi
 63 debian
 59 123321
 58 1234
 57 www
 56 web
 55 hadoop
 55 demo
 52 uftp

Linode support told me to have a look at Fail2ban for securing my server.