Cisco hacking attempts

I have an ADSL Cisco router for connecting to the Internet.

The total number of hacking attempts since February 2015 are:

# grep "Login failed" /var/log/cisco.log | wc
14625 409500 3458312

A sample log entry looks like the following:

# grep "Login failed" /var/log/cisco.log | head -1
Feb 26 16:10:38 HOSTNAME 48: Feb 26 14:10:37.514: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: bin] [Source: SOURCE_IP] [localport: 22] [Reason: Login Authentication Failed] at 16:10:37 utc Thu Feb 26 2015

I extracted the the [user: …] entries using AWK as follows:

# grep "Login failed" /var/log/cisco.log | awk {'print $13'} | awk -F\] {'print $1'}

The full command for counting the total number that each username appeared is the following:

# grep "Login failed" /var/log/cisco.log | awk {'print $13'} | awk -F\] {'print $1'} | sort | uniq -c | sort -rn | awk {'print $2 " " $1'}
# grep "Login failed" /var/log/cisco.log | awk {'print $13'} | awk -F\] {'print $1'} | sort | uniq -c | sort -rn | awk {'print $2 " " $1'} | wc

The top 10 usernames were the following:

root 10735
test 185
guest 151
git 109
ubnt 98
nagios 95
oracle 89
admin 68
zabbix 63
ubuntu 39

After extracting the information, I used R to visualize the top 40 results that can be seen in the next figure :-)