See contents of the log file from the ssh server (/var/log/auth.log):
  less auth.log 
Search for invalid user attempts in the log file:
  grep "Failed password for invalid user" auth.log
Print the last 5 lines of the lines that contain the invalid user data:
  grep "Failed password for invalid user" auth.log  | tail -5
Search for a particular IP address amongst the invalid user attempts:
  grep "Failed password for invalid user" auth.log  | grep 203.154.117.52
Count the number of times an invalid user attempt was made by the particular IP address
  grep "Failed password for invalid user" auth.log  | grep 203.154.117.52 | wc -l
List the IP address "field" (13th column in each line) of the log file with invalid user attempts:
  grep "Failed password for invalid user" auth.log  | awk '{print $13}'
Sort the IP addresses that attempted invalid user logins:
  grep "Failed password for invalid user" auth.log  | awk '{print $13}' | sort | less
For each IP address that attempted an invalid user login, list the IP address and the number of attempts:
  grep "Failed password for invalid user" auth.log  | awk '{print $13}' | sort | awk 'BEGIN{previp=0; count=0} {if (previp==$1) count++; else {print previp, count+1; count=0; previp=$1} }' | less
Print a list of IP addresses and number of attempts, only for those IP addresses with more than 4 attempts:
  grep "Failed password for invalid user" auth.log  | awk '{print $13}' | sort | awk 'BEGIN{previp=0; count=0} {if (previp==$1) count++; else {print previp, count+1; count=0; previp=$1} }' | awk '{if ($2>4) print;}' | less
Print a list of IP addresses from which more than 4 "invalid user" attempts have been carried out:
  grep "Failed password for invalid user" auth.log  | awk '{print $13}' | sort | awk 'BEGIN{previp=0; count=0} {if (previp==$1) count++; else {print previp, count+1; count=0; previp=$1} }' | awk '{if ($2>4) print $1;}'
Append those IP address to the end of a blacklist text file:
  grep "Failed password for invalid user" auth.log  | awk '{print $13}' | sort | awk 'BEGIN{previp=0; count=0} {if (previp==$1) count++; else {print previp, count+1; count=0; previp=$1} }' | awk '{if ($2>4) print $1;}' >> blacklist.txt
Sort the contents of the blacklist file:
  sort blacklist.txt | less
If the blacklist file contains multiple copies of the IP addresses (because of say the repeated use of the earlier command):
  sort blacklist.txt | uniq
Clean up the blacklist file from duplicates:
  sort blacklist.txt | uniq > tmp.txt
  mv tmp.txt blacklist.txt

Create 4 junk "fake jpg" files:
  echo blskjfldskj > img1.jpg
  echo blskjfldskj > img2.jpg
  echo blskjfldskj > img3.jpg
  echo blskjfldskj > img4.jpg
Make awk print a message on the screen (std out) - note the use of only the BEGIN block, awk being used with no input:
  awk 'BEGIN{print"hello world"}'
  awk 'BEGIN{print"echo blskjfldskj > img1.jpg"}'
Print 99 strings on the screen, each looking like a command that can be later executed:
  awk 'BEGIN{for (i=1;i<100;i++) print "echo blskjfldskj > img"i".jpg"}'
Why don't we write $i? Because that would mean we want to address the i^th field. We only care about i itself.
We can even do aritmetic on variables and directly concatenate them with strings:
  awk 'BEGIN{for (i=1;i<100;i++) print "echo blskjfldskj > img"i+1".jpg"}'
Execute each line of a text using the system() call (creating 99 fake jpg files):
  awk 'BEGIN{for (i=1;i<100;i++) print "echo blskjfldskj > img"i+1".jpg"}' | awk '{system($0)}'
You can call and execute any shell command from inside awk using the system() call:
  awk 'BEGIN{system("ls")}'
What is $0? It is all the fields, ie. the entire line:
  echo ali seni sovdu | awk '{print $0" ama bu yanlisti"}'
Now let's imagine we want to rename all the fake jpg files such that they start with torun instead of img.
List all the img*jpg files, and generate strings that read like: "mv img1.jpg img1.jpg"
  ls img*jpg | awk '{print "mv "$1" "$1}'
Substitute the string "torun" in place of the first "img" string inside $0 in order to get commands like: "mv torun1.jpg img1.jpg"
  ls img*jpg | awk '{print "mv "$1" "$1}' | awk '{sub("img","torun",$0); print $0}'
Print in an order that swaps the third and second fields, so we get commands like: "mv img1.jpg torun1.jpg"
  ls img*jpg | awk '{print "mv "$1" "$1}' | awk '{sub("img","torun",$0); print $1,$3,$2}'
And now execute the commands we generated, renaming all img*jpg files as torun*jpg files:
  ls img*jpg | awk '{print "mv "$1" "$1}' | awk '{sub("img","torun",$0); print $1,$3,$2}' | awk '{system($0)}'
The same sort of thing could be attempted by using sed. As an example try this:
  ls torun*jpg | awk '{print "mv "$1" "$1}' | sed s/'torun'/'img'/2 | less

Using awk instead of grep (awk is like a Swiss army knife, you replicate the functionality of many utilities):
  ls  | grep torun
  ls  | awk '/torun/{print}'
  ls  | awk '/torun/'

The original awk book by Aho, Weinberger and Kernighan is available on the internet archive.
Topic revision: r2 - 09 Feb 2018, ErkcanOzcan
 

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback