OS X Snitch Script

I have SSH enabled on one of my OS X servers and have always been mindful of the logs. Monitoring attempts to brute force crack way into my machine. I have been careful and hopefuly have a fairly strong setup that should not be trivial to crack.

To help me watch the logs I created this very simple script that I run to notify me of any break-in attempts:

I call the script “Snitch”

cat /private/var/log/system.log | grep 'Illegal' | awk '{print $12}' | sort | uniq -c
cat /private/var/log/system.log | grep 'Failed password' | awk '{print $13}' | sort | uniq -c | sort -nr

The script looks through the system log and finds and illegal or failed login attempts and counts the number of times that IP have attempted to gain enrty (since the log last rolled over). The output of the above script looks like this:
10 202.104.xxx.xxx
12 200.129.xxx.xxx
6  200.124.xxx.xxx

*note: I have not displayed the last two octets of the IP for privacy reasons.

Anywhoo, this page is more for me in case I ever need to refrence back to the code. However, if you stumbled onto it and found it helpful, great. 🙂

Leave a Reply