如何從日誌文件中檢索 IP 地址的計數？

我正在檢查日誌文件以檢索 IP 地址以及日誌失敗的次數。這是我的日誌文件的樣子：

Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173 

現在，我還想檢查日誌被接受了多少次。這個想法是對暴力攻擊進行概述。

我如何擴展

sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c 

還要檢查接受的密碼？就像是

sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c 

但是，我不想在 Accepted 和 Failed 之間使用“或”，而是希望得到一個如下所示的計數結果：

123.53.163.22 3 2

（列是：IP 地址、失敗總數、接受總數）

這與如何檢索可能的 ssh 攻擊者的 IP 地址有關？

鑑於樣本不足….

cat horbaje
Feb  2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb  2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb  2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173 

我認為，這可以滿足您的要求：

awk '$6~/Failed/{a[$11][1]++}; $6~/Accepted/{a[$11][2]++} END{for(i in a){printf "%s\t%s\t%s\n",i,a[i][1],a[i][2]}}' horbaje
143.100.67.173  5   1

引用自：https://unix.stackexchange.com/questions/485650