I use a swatch-based approach to monitoring my /var/log/secure* log files for brute force attacks on my ssh server. Today I was curious about which usernames were being used to try to get into the system.

This command tells me what I want:

# cat /var/log/secure* | cut -d " " -f7-12 |grep Failed |cut -d " " -f6 |sort |uniq -c

Output shows this:

      5 admin
      1 alias
      1 fluffy
      2 guest
      1 recruit
     15 root
      1 sales
      1 staff
      3 test

as you see, ‘root’ dominates the list. Obviously, my ssh config file (/etc/ssh/sshd_config) does not allow for root login. And for good reason!