Solved

Linux / lastb: Return count of  bad logins JSON format

Posted on 2013-11-18
4
404 Views
Last Modified: 2013-11-21
I use lastb to view all invalid logins.

How can I get a total count of the number of bad logins during the past 60 minutes?

I want the results in this format:

{
"BadLoginsPastHour":147
}

Open in new window

0
Comment
Question by:hankknight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 14

Expert Comment

by:jb1dev
ID: 39658138
The tricky part here is you have to parse the dates in the lastb output, then compare against current time minus one hour.

Try this:

#!/bin/bash

DATE=`date +%s`
ONE_HOUR=`expr 60 \* 60`
ONE_HOUR_AGO=`expr $DATE - $ONE_HOUR`

isInLastHour() {
    if [ "$1" -gt "$ONE_HOUR_AGO" ]; then
        return 0
    fi
    return 1
}

count=0
IFS=$'\n'
for date in `lastb -F | grep -v "btmp begins" | cut -d '-' -f 2  | sed 's/  (.*//' | sed 's/^ //'`; do 
    LOGINDATE=`date -d $date +%s` 
    if isInLastHour $LOGINDATE ; then
        count=`expr $count + 1`
    fi
done

echo { \"BadLoginsPastHour\": $count }

Open in new window


EDIT escape quotes so they appear in json output.
0
 
LVL 16

Author Comment

by:hankknight
ID: 39665823
I get an error:
invalid option -- F
0
 
LVL 14

Expert Comment

by:jb1dev
ID: 39667159
Does your version of lastb not support he -F option?

Can you paste the output of the following commands
"lastb"
"lastb -F"

For example

exch@exch:~$ lastb
UNKNOWN  pts/12       localhost        Wed Nov 20 12:57 - 12:57  (00:00)    
UNKNOWN  pts/9        localhost        Mon Nov 18 17:01 - 17:01  (00:00)    
exch     pts/9        localhost        Mon Nov 18 17:01 - 17:01  (00:00)    
exch     pts/9        localhost        Mon Nov 18 16:50 - 16:50  (00:00)    
...

Open in new window


exch@exch:~$ lastb -F
UNKNOWN  pts/12       localhost        Wed Nov 20 12:57:09 2013 - Wed Nov 20 12:57:09 2013  (00:00)    
UNKNOWN  pts/9        localhost        Mon Nov 18 17:01:45 2013 - Mon Nov 18 17:01:45 2013  (00:00)    
exch     pts/9        localhost        Mon Nov 18 17:01:41 2013 - Mon Nov 18 17:01:41 2013  (00:00)    
exch     pts/9        localhost        Mon Nov 18 16:50:45 2013 - Mon Nov 18 16:50:45 2013  (00:00)    

Open in new window



On my system, "lastb -F" includes the full date.
Without the -F option I am unclear on how lastb handles dates over a year in the past.

I will look into providing a solution that does not use the -F option.
0
 
LVL 14

Accepted Solution

by:
jb1dev earned 500 total points
ID: 39667175
This should work if your version of lastb does not support the -F option.

#!/bin/bash

DATE=`date +%s`
ONE_HOUR=`expr 60 \* 60`
ONE_HOUR_AGO=`expr $DATE - $ONE_HOUR`

isInLastHour() {
    if [ "$1" -gt "$ONE_HOUR_AGO" ]; then
        return 0
    fi
    return 1
}

count=0
IFS=$'\n'
for date in `lastb | grep -v "btmp begins" | cut -d '-' -f 1  | cut -c 40- | sed 's/  (.*//' | sed 's/^ //'`; do
    LOGINDATE=`date -d $date +%s` 
    if isInLastHour $LOGINDATE ; then
        count=`expr $count + 1`
    fi
done

echo { \"BadLoginsPastHour\": $count }

Open in new window

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question