Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

Linux / lastb: Return count of bad logins JSON format

I use lastb to view all invalid logins.

How can I get a total count of the number of bad logins during the past 60 minutes?

I want the results in this format:

{
"BadLoginsPastHour":147
}

Open in new window

0
hankknight
Asked:
hankknight
  • 3
1 Solution
 
jb1devCommented:
The tricky part here is you have to parse the dates in the lastb output, then compare against current time minus one hour.

Try this:

#!/bin/bash

DATE=`date +%s`
ONE_HOUR=`expr 60 \* 60`
ONE_HOUR_AGO=`expr $DATE - $ONE_HOUR`

isInLastHour() {
    if [ "$1" -gt "$ONE_HOUR_AGO" ]; then
        return 0
    fi
    return 1
}

count=0
IFS=$'\n'
for date in `lastb -F | grep -v "btmp begins" | cut -d '-' -f 2  | sed 's/  (.*//' | sed 's/^ //'`; do 
    LOGINDATE=`date -d $date +%s` 
    if isInLastHour $LOGINDATE ; then
        count=`expr $count + 1`
    fi
done

echo { \"BadLoginsPastHour\": $count }

Open in new window


EDIT escape quotes so they appear in json output.
0
 
hankknightAuthor Commented:
I get an error:
invalid option -- F
0
 
jb1devCommented:
Does your version of lastb not support he -F option?

Can you paste the output of the following commands
"lastb"
"lastb -F"

For example

exch@exch:~$ lastb
UNKNOWN  pts/12       localhost        Wed Nov 20 12:57 - 12:57  (00:00)    
UNKNOWN  pts/9        localhost        Mon Nov 18 17:01 - 17:01  (00:00)    
exch     pts/9        localhost        Mon Nov 18 17:01 - 17:01  (00:00)    
exch     pts/9        localhost        Mon Nov 18 16:50 - 16:50  (00:00)    
...

Open in new window


exch@exch:~$ lastb -F
UNKNOWN  pts/12       localhost        Wed Nov 20 12:57:09 2013 - Wed Nov 20 12:57:09 2013  (00:00)    
UNKNOWN  pts/9        localhost        Mon Nov 18 17:01:45 2013 - Mon Nov 18 17:01:45 2013  (00:00)    
exch     pts/9        localhost        Mon Nov 18 17:01:41 2013 - Mon Nov 18 17:01:41 2013  (00:00)    
exch     pts/9        localhost        Mon Nov 18 16:50:45 2013 - Mon Nov 18 16:50:45 2013  (00:00)    

Open in new window



On my system, "lastb -F" includes the full date.
Without the -F option I am unclear on how lastb handles dates over a year in the past.

I will look into providing a solution that does not use the -F option.
0
 
jb1devCommented:
This should work if your version of lastb does not support the -F option.

#!/bin/bash

DATE=`date +%s`
ONE_HOUR=`expr 60 \* 60`
ONE_HOUR_AGO=`expr $DATE - $ONE_HOUR`

isInLastHour() {
    if [ "$1" -gt "$ONE_HOUR_AGO" ]; then
        return 0
    fi
    return 1
}

count=0
IFS=$'\n'
for date in `lastb | grep -v "btmp begins" | cut -d '-' -f 1  | cut -c 40- | sed 's/  (.*//' | sed 's/^ //'`; do
    LOGINDATE=`date -d $date +%s` 
    if isInLastHour $LOGINDATE ; then
        count=`expr $count + 1`
    fi
done

echo { \"BadLoginsPastHour\": $count }

Open in new window

0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now