Category Archives: one-liners

Bash one liner: rDNS of failed ssh logins

Quickly get the rDNS of each IP that failed to login to your ssh :D

grep Failed /var/log/auth.log|grep -v pronto|sed 's/.*from //;s/ port.*//'|sort -u|while read host
do
        host "$host"
done
Host 196.108.80.114.in-addr.arpa not found: 2(SERVFAIL)
Host 71.102.207.124.in-addr.arpa not found: 2(SERVFAIL)
Host 192.190.210.125.in-addr.arpa. not found: 3(NXDOMAIN)
Host 248.196.211.125.in-addr.arpa. not found: 3(NXDOMAIN)
218.15.28.176.in-addr.arpa domain name pointer lvps176-28-15-218.dedicated.hosteurope.de.
Host 242.15.120.187.in-addr.arpa. not found: 3(NXDOMAIN)
Host 253.109.15.198.in-addr.arpa. not found: 3(NXDOMAIN)
Host 179.115.27.198.in-addr.arpa not found: 2(SERVFAIL)
8.197.61.198.in-addr.arpa domain name pointer 198-61-197-8.static.cloud-ips.com.
Host 159.203.61.198.in-addr.arpa. not found: 3(NXDOMAIN)
Host 60.82.71.198.in-addr.arpa. not found: 3(NXDOMAIN)
178.230.241.201.in-addr.arpa domain name pointer pc-178-230-241-201.cm.vtr.net.
Host 66.2.62.42.in-addr.arpa not found: 2(SERVFAIL)
82.179.79.4.in-addr.arpa domain name pointer scanning-service-4.nessus.org.
Host 61.226.49.64.in-addr.arpa. not found: 3(NXDOMAIN)
38.96.111.78.in-addr.arpa domain name pointer fire3.methosting.com.
7.138.17.85.in-addr.arpa domain name pointer hosted-by.leaseweb.com.
Host 72.129.211.95.in-addr.arpa. not found: 3(NXDOMAIN)

:D    also you can replace the “host “$host”  part with:    whois “$host” > $host    and quickly whois each IP as well, I recommend doing this in it’s own DIR though.  Then just do less *   and :n  to go to next file

Breakdown on the one liner for people new to linux/bash/celery
This part is pretty self explanatory, just greping auth.log for Failed, then grep -v is an inverse grep getting rid of my user name

grep Failed /var/log/auth.log|grep -v pronto

This part using is removing everything up to and including the word ‘from’ then everything and including the word ‘port’
the sed command is acutely doing two sed actions separated via a semicolon (no need to pipe sed to sed)

sed 's/.*from //;s/ port.*//'
the original line looks like:
Nov  9 08:22:56 tasty sshd[25254]: Failed password for root from 199.83.51.16 port 54268 ssh2
 
then end result is just "199.83.51.16"

for more useful sed one liners check out this page
this next part just sorts the massive list, and the -u flag only shows the unique ones

sort -u