Commands using lastb (2)

  • The lastb command presents you with the history of failed login attempts (stored in /var/log/btmp). The reference file is read/write by root only by default. This can be quite an exhaustive list with lots of bots hammering away at your machine. Sometimes it is more important to see the scale of things, or in this case the volume of failed logins tied to each source IP. The awk statement determines if the 3rd element is an IP address, and if so increments the running count of failed login attempts associated with it. When done it prints the IP and count. The sort statement sorts numerically (-n) by column 3 (-k 3), so you can see the most aggressive sources of login attempts. Note that the ':' character is the 2nd column, and that the -n and -k can be combined to -nk. Please be aware that the btmp file will contain every instance of a failed login unless explicitly rolled over. It should be safe to delete/archive this file after you've processed it. Show Sample Output


    1
    sudo lastb | awk '{if ($3 ~ /([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/)a[$3] = a[$3]+1} END {for (i in a){print i " : " a[i]}}' | sort -nk 3
    sgowie · 2012-09-11 14:51:10 5
  • display IP's that unsuccessfully attempted to login 5 or more times today may want to filter any trusted IP's and the localhost useful for obtaining a list IP addresses to block on the firewall Show Sample Output


    -1
    lastb -i | grep "$(date '+%a %b %d')" | awk '{ print $3 }' | sort | uniq -c | awk '{ if ($1 >= 5) print $2; }'
    forestb · 2015-11-20 07:19:20 10

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Exclude inserting a table from a sql import
Starting with a large MySQL dump file (*.sql) remove any lines that have inserts for the specified table. Sometimes one or two tables are very large and uneeded, eg. log tables. To exclude multiple tables you can get fancy with sed, or just run the command again on subsequently generated files.

E-mail a traditional Berkeley mbox to another recipient as individual e-mails.

Swap a file or dir with quick resotre
This lets you replace a file or directory and quickly revert if something goes wrong. For example, the current version of a website's files are in public_html. Put a new version of the site in public_html~ and execute the command. The names are swapped. If anything goes wrong, execute it again (up arrow or !!).

Which processes are listening on a specific port (e.g. port 80)
swap out "80" for your port of interest. Can use port number or named ports e.g. "http"

List all Windows services on the command line
On Windows 2000 or later, this command will give a listing of all the registered Windows services. You can then know what the name of a command is in order to start and stop it. e.g. $ sc start Apache2.2 or $ net start Apache2.2 Please note that sc will allow the SERVICE_NAME only, while net will allow both SERVICE_NAME and DISPLAY_NAME. Note that the space between the = and the next word are important. Not very unixy, that. http://www.ss64.com/nt/sc.html http://www.ss64.com/nt/net_service.html http://technet.microsoft.com/en-us/library/bb490995.aspx

Grep for regular expression globally, list files and positions.
Grep for expression globally, list files and positions. "Hirn" is a nice german crib meaning "Brain". :-) Afterwards you can edit the line you want with "vi ./p_common/common_main.pbt +1550"

Compare a remote dir with a local dir
You can compare directories on two different remote hosts as well: $ diff -y

Rename all .jpeg and .JPG files to have .jpg extension
the "i" controls case sensitiveness. It's slightly inefficient since it uselessly renames .jpg to .jpg, but that's more than compensated by launching only one process instead of two, besides being shorter to write.

Insert a line for each n lines

Print a row of characters across the terminal
Print a row of characters across the terminal. Uses tput to establish the current terminal width, and generates a line of characters just long enough to cross it. In the example '#' is used. It's possible to use a repeating sequence by dividing the columns by the number of characters in the sequence like this: $ seq -s'~-' 0 $(( $(tput cols) /2 )) | tr -d '[:digit:]' or $ seq -s'-~?' 0 $(( $(tput cols) /3 )) | tr -d '[:digit:]' You will lose chararacters at the end if the length isn't cleanly divisible.


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: