Monday, August 17, 2009

FW Log Check

Doing a remote check of FW activity, I've found that the FW has blocked MANY IPs in the last 9 days:

[root@delly ~]# zcat /var/log/bruteforce.0908* | wc -l
11424
Those are all unique IPs. Out of curiosity, I checked July's and May's logs:

[root@delly ~]# zcat /var/log/bruteforce.0907* | wc -l
40511

[root@delly ~]# zcat /var/log/bruteforce.0906* | wc -l
10121


All I can say is, "WOW!!" There was a HUGE spike in July (maybe due to summer vacation of most kids). Unfortunately, my logs don't go back beyond June.

I'm curious as to how August will be but I can already see that the number will be high. I'll update the blog as I as continue to watch.

[EDIT: I checked August's count and it is below:

zcat /var/log/bruteforce.0908* | wc -l
40761


September (so far) is:
zcat /var/log/bruteforce.0909* | wc -l
20186


I think I'll start scripting this command to run every week so that I can start trending.[09/15/2009]]




[Edit:


So, it is 7/19/2011.  I will try to graph what I'm about to provide, but here's what I have after zcatting some .gz files:



2011:

[root@delly ~]# zcat /var/log/bruteforce.1107* | wc -l
   58589
[root@delly ~]# zcat /var/log/bruteforce.1106* | wc -l
   91736
[root@delly ~]# zcat /var/log/bruteforce.1105* | wc -l
   93765
[root@delly ~]# zcat /var/log/bruteforce.1104* | wc -l
   89521
[root@delly ~]# zcat /var/log/bruteforce.1103* | wc -l
   91337
[root@delly ~]# zcat /var/log/bruteforce.1102* | wc -l
   81415
[root@delly ~]# zcat /var/log/bruteforce.1101* | wc -l
   89971


2010:

[root@delly ~]# zcat /var/log/bruteforce.1012* | wc -l
   90024
[root@delly ~]# zcat /var/log/bruteforce.1011* | wc -l
   87120
[root@delly ~]# zcat /var/log/bruteforce.1010* | wc -l
   89748
[root@delly ~]# zcat /var/log/bruteforce.1009* | wc -l
   85585
[root@delly ~]# zcat /var/log/bruteforce.1008* | wc -l
   84738
[root@delly ~]# zcat /var/log/bruteforce.1007* | wc -l
   66438
[root@delly ~]# zcat /var/log/bruteforce.1006* | wc -l
   62905
[root@delly ~]# zcat /var/log/bruteforce.1005* | wc -l
   63421
[root@delly ~]# zcat /var/log/bruteforce.1004* | wc -l
   60478
[root@delly ~]# zcat /var/log/bruteforce.1003* | wc -l
   59006
[root@delly ~]# zcat /var/log/bruteforce.1002* | wc -l
   44380
[root@delly ~]# zcat /var/log/bruteforce.1001* | wc -l
   45392


2009:

[root@delly ~]# zcat /var/log/bruteforce.0912* | wc -l
   48281
[root@delly ~]# zcat /var/log/bruteforce.0911* | wc -l
   45127
[root@delly ~]# zcat /var/log/bruteforce.0910* | wc -l
   44254
[root@delly ~]# zcat /var/log/bruteforce.0909* | wc -l
   40185


[root@delly /var/log]# zcat bruteforce.* |wc -l
 1704809
[root@delly /var/log]# zcat bruteforce.* |wc -l | uniq
 1704809
]

No comments: