The intruder_detect.sh script defaults to using /var/log/auth.log as input. Alternatively, we can provide a log file with a command-line argument. The failed logins are collected in a temporary file to reduce processing.

When a login attempt fails, SSH logs lines are similar to this:

    sshd[21197]: Failed password for bob1 from 10.83.248.32 port 50035 

The script greps for the Failed passw string and puts those lines in /tmp/failed.$$.log.

The next step is to extract the users who failed to login. The awk command extracts the fifth field from the end (the user name) and pipes that to sort and uniq to create a list of the users.

Next, the unique IP addresses are extracted with a regular expression and the egrep command.

Nested ...