/var/log/secure

1. 定位有多少IP在爆破主机的root帐号：
   grep “Failed password for root” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr | more
2. 定位有哪些IP在爆破：
   grep “Failed password” /var/log/secure|grep -E -o “(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][09]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)”|uniq -c
3. 爆破用户名字典是什么？
   grep “Failed password” /var/log/secure|perl -e ‘while($_=<>){ /for(.*?) from/; print “$1\n”;}’|uniq -c|sort nr
4. 定位有多少IP在爆破主机的root帐号：
   grep "Accepted " /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr | more
5. 定位有哪些IP在爆破：
   grep "Accepted " /var/log/secure | awk ‘{print $1,$2,$3,$9,$11}’

access_log

1. 查看 IP
   [root@localhost logs]# cat access_log | awk ‘{print $1}’
2. 显示访问前10 位的IP 地址，便于查找攻击源
   [root@localhost logs]# cat access_log|awk ‘{print $1}’|sort|uniq -c|sort -nr|head -10
3. 显示指定时间以后的日志
   [root@localhost logs]# cat access_log |awk ‘$4>="[1/Jan/2020:00:00:00"’
4. 查看某一时间内的 IP 连接情况
   [root@localhost logs]# grep "2020:05"access_log |awk ‘{print $4}’|sort|uniq –c |sort -nr
5. 查看指定的 IP 做了什么
   [root@localhost logs]# cat access_log |grep 192.168.3.3| awk ‘{print $1"\t"$8}’| sort|uniq –c |sort –nr|less
6. 查看最近访问量最高的文件
   [root@localhost logs]# cat access_log |tail 10000| awk ‘{print $7}’| sort|uniq –c |sort –nr|less