Querying auth.log for ssh attempts (disconnects that never authorized correctly)

Question

Lurker here having gotten many good answers to my problems for some time. Hoping there's some insight here, please! I am struggling with a bit of bash script that kind of sort of works.

The intention here is to grep "Disconnected from" in the auth.log and get the IP address following. I then find the geo-location of the IP address using the extreme-ip-lookup.com tool which has been fairly useful. These are running on Ubuntu 16.04 servers up on AWS.

I am getting mixed results - I see a lot of the same IP address (this is an AWS server) that are not showing up in the auth.log and I'm VERY curious where the information is coming from. Ultimately, the results I generate here are going to be my justification to remove this server from the public accessibility and make it private only. It would disrupt some things internally, but make the environment more secure. It's amazing I even have to fight for this.

Also having an issue echoing the $ipaddy variable (it shows up blank) and piping info into a file. But that's another issue. ;)

The code..

#!/bin/bash

tail -f /var/log/auth.log | \
while read line ; do
        ipaddy=$( echo "$line" | grep "Disconnected from" | cut -d: -f4 |awk '{print $3}' )
        if [ $? = 0 ]
        then
        curl "extreme-ip-lookup.com/csv/$ipaddy"
        echo ""
        fi
done

# cat auth.log | grep "Disconnected from" | cut -d: -f4 |awk '{print $3}'

The remarked out line on the bottom is my test line that correctly outputs a list of IP addresses.

See output results below.

-- Results from the command -cat auth.log | grep "Disconnected from"-

Mar 21 20:57:04 ip-10-10-100-22 sshd[11823]: Disconnected from 115.238.245.6 port 52720 [preauth] Mar 21 20:58:48 ip-10-10-100-22 sshd[11839]: Disconnected from 93.147.131.23 port 34934 [preauth] Mar 21 21:02:40 ip-10-10-100-22 sshd[11868]: Disconnected from 221.194.47.221 port 50977 [preauth] Mar 21 21:03:02 ip-10-10-100-22 sshd[11884]: Disconnected from 221.194.47.243 port 47179 [preauth] Mar 21 21:04:52 ip-10-10-100-22 sshd[11900]: Disconnected from 115.238.245.6 port 53163 [preauth] Mar 21 21:09:03 ip-10-10-100-22 sshd[12064]: Disconnected from 122.226.181.164 port 60190 [preauth] Mar 21 21:16:46 ip-10-10-100-22 sshd[12080]: Disconnected from 221.194.47.233 port 54297 [preauth] Mar 21 21:23:01 ip-10-10-100-22 sshd[12123]: Disconnected from 62.210.205.35 port 38513 [preauth] Mar 21 21:31:54 ip-10-10-100-22 sshd[12229]: Disconnected from 221.194.47.236 port 55644 [preauth] Mar 21 21:38:34 ip-10-10-100-22 sshd[12247]: Disconnected from 62.241.131.10 port 51984 [preauth] Mar 21 21:38:54 ip-10-10-100-22 sshd[12267]: Disconnected from 221.194.47.245 port 41003 [preauth] Mar 21 21:42:35 ip-10-10-100-22 sshd[12286]: Disconnected from 218.65.30.25 port 15680 [preauth] Mar 21 21:42:49 ip-10-10-100-22 sshd[12302]: Disconnected from 121.18.238.39 port 34310 [preauth] Mar 21 21:44:12 ip-10-10-100-22 sshd[12318]: Disconnected from 177.70.27.200 port 34968 [preauth]

-- Results of the script running for a while. It's the 34.224.62.79 addresses that are showing up NOWHERE ELSE in the auth.log that are confusing to me. I get it they're AWS internal most likely, but why aren't they also showing up in the auth.log ?

success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,221.194.47.233,,Residential,,,Asia,CN,China,Hebei,Baoding,38.8511,115.4903,"China Unicom Hebei Province Network","China Unicom Hebei province network" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,62.210.205.35,aurora.appturesque.com,Business,Appturesque.com,www.appturesque.com,Europe,FR,France,,,48.8582,2.3387,"Online S.A.S.","Magic Online ISP" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,221.194.47.236,,Residential,,,Asia,CN,China,Hebei,Baoding,38.8511,115.4903,"China Unicom Hebei Province Network","China Unicom Hebei province network" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,62.241.131.10,host-62-241-131-10.static.link.com.eg,Residential,,,Africa,EG,Egypt,"Al Qahirah",Cairo,30.0771,31.2859,"Link Egypt","Link Egypt" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,221.194.47.245,,Residential,,,Asia,CN,China,Hebei,Baoding,38.8511,115.4903,"China Unicom Hebei Province Network","China Unicom Hebei province network" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,218.65.30.25,,Residential,,,Asia,CN,China,Jiangxi,Nanchang,28.5500,115.9333,"ChinaNet Jiangxi Province Network","CHINANET JIANGXI PROVINCE NETWORK" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,121.18.238.39,,Residential,,,Asia,CN,China,Hebei,Hebei,39.8897,115.2750,"China Unicom Hebei Province Network","China Unicom Hebei province network" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,177.70.27.200,v9duckz3sq.undercloud.net,Residential,,,"South America",BR,Brazil,,,-22.8305,-43.2192,"Desenvolve Solucoes de Internet Ltda","Desenvolve Solucoes de Internet Ltda" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,122.226.181.166,,Residential,,,Asia,CN,China,Jiangsu,Taizhou,32.4907,119.9081,"Hangzhou tianjian to information technology","CHINANET Zhejiang province network"

Answer 1

Amazing what fresh eyes in the morning can do for you!

I went the easier way (I guess) and just outputted that list of IPs first and then read that list into my lookups instead of doing it live, plus tightened up the script a little.

#!/bin/bash

cat /var/log/auth.log | grep "Disconnected from" | cut -d: -f4 |awk '{print $3}' >> ipattempts.txt

cat ipattempts.txt |
while read line ; do
        echo $line
        curl extreme-ip-lookup.com/csv/$line >> sshattempts.txt
        echo "" >> sshattempts.txt
done

The erroneous IP address from my previous post was in fact the public IP of another server communicating with this one. Why the heck it was showing up in the lookups but not in the auth.log is still a mystery.

But I outputted a list of almost 1000 erroneous SSH attempts over the last day, about half of them from China and Russia, and scared the hell out of the right people this morning over this. ;-)