From 48b47cd21a395c28e48db3b074d7405f5bde3131 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Fri, 4 Jan 2019 22:54:47 +0100
Subject: [PATCH] Added script for getting all IPs failed on ssh

---
 log/failedIPs.sh | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 log/failedIPs.sh

diff --git a/log/failedIPs.sh b/log/failedIPs.sh
new file mode 100644
index 0000000..4fa6173
--- /dev/null
+++ b/log/failedIPs.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+grep 'sshd' /var/log/auth.log |
+		grep -P '(not allowed because not listed in|Invalid user|Did not receive identification string from|Unable to negotiate with|Bad protocol version identification|error: maximum authentication attempts exceeded for)' |
+		grep -o -P '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' |
+		sort -u