Showing posts tagged #quick-tips

Return Home

List every host that attempted to connect

zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/\1/' | sort -u
Command breakdown
  • zgrep sshd /var/log/auth.log*: Search for sshd in every auth.log file. Even the .gz ones.
  • grep rhost: Filter out the lines that do not contain the remote host information.
  • sed -re 's/.\*rhost=([^ ]+).\*/\1/': Search for the rhost=xxxxxx expression and capture it.
  • sort -u: Only show unique elements.

From here you can tweak it a little to suit your needs.

List successful logins

zgrep sshd /var/log/auth.log* | grep

Read More