如何过滤secure日志的IP字段

jacson007

最近服务器secure日志里面可以看到大量的ssh扫描登陆，有什么好的方法过滤出里面的IP信息呢？如下：
要求结果为
61.152.95.172
222.73.173.143

Jul 13 08:13:09 localhost sshd[14678]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:09 localhost sshd[14679]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.173.143 user=root
Jul 13 08:13:11 localhost sshd[14691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172 user=admin
Jul 13 08:13:11 localhost sshd[14692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.173.143
Jul 13 08:13:14 localhost sshd[14707]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:14 localhost sshd[14711]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.173.143 user=root
Jul 13 08:13:17 localhost sshd[14722]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:17 localhost sshd[14724]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.173.143
Jul 13 08:13:20 localhost sshd[14739]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172 user=root
Jul 13 08:13:23 localhost sshd[14753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172 user=root
Jul 13 08:13:26 localhost sshd[14767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:29 localhost sshd[14781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:32 localhost sshd[14795]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:35 localhost sshd[14809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:38 localhost sshd[14823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:41 localhost sshd[14837]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172 user=apache
Jul 13 08:13:44 localhost sshd[14851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:47 localhost sshd[14865]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:49 localhost sshd[14876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
Jul 13 08:13:53 localhost sshd[14895]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.152.95.172
J

[ 本帖最后由 jacson007 于 2009-7-14 21:20 编辑 ]

blackold

awk -F = '!a[$NF]++{print $NF}' urfile

[ 本帖最后由 blackold 于 2009-7-13 09:43 编辑 ]

gyp334a

sed -n 's/\(.*rhost\)=\(.*\)/\2/p' secure | sort -u

heizi21

楼上的方法没成功啊

jacson007

原帖由 gyp334a 于 2009-7-13 09:50 发表
sed -n 's/\(.*rhost\)=\(.*\)/\2/p' secure | sort -u

这个执行得到的结果
125.141.231.168  user=sshd
125.141.231.168  user=sync
125.141.231.168  user=uucp
187.141.100.236
187.141.100.236  user=root
222.73.173.143
222.73.173.143  user=games
222.73.173.143  user=root
61.152.95.172
61.152.95.172  user=adm
61.152.95.172  user=apache
61.152.95.172  user=bin
61.152.95.172  user=daemon
61.152.95.172  user=ftp
61.152.95.172  user=games
。。。。。。。

如果能把后面的用户字段去掉，然后再过滤掉重复就完美了。

jacson007

原帖由 blackold 于 2009-7-13 09:39 发表
awk -F = '!a[$NF]++{print $NF}' urfile

这个命令执行的结果和日志差不多啊

blackold

“user=games"数据又变化了？

从未被和谐

grep -P -o "(?<=rhost=)\d+.+"

heizi21

实际上应该是日志文件不止这些数据，所以匹配时容易出错。

blackold

猜一猜：

1. sed -n 's/.*rhost=\([0-9.]\+\).*/\1/p' urfile|sort -u

复制代码