Another question for tracking failed logins via script

Hello Experts,

I have this initial shell script that tracks failed login attempts:

#!/bin/bash

#Fetch failed user logins to file failed-logins.txt
grep -i failed /var/log/secure | awk '{ print $1, $2"  ", $3"  ", $9"  ", $11 }' > failed-logins.txt

#Splitting the failed-logins in INVALID & VALID 

cat failed-logins.txt | grep -i invalid > invalid-failed-logins.txt
cat failed-logins.txt | grep -v invalid > valid-failed-logins.txt

and have the ff output for valid-failed-logins:

Jan 18 14:15:03 root 218.104.65.210
Jan 18 14:15:07 root 218.104.65.210
Jan 18 14:15:11 root 218.104.65.210
Jan 18 14:15:23 root 218.104.65.210
Jan 18 14:15:26 root 218.104.65.210
Jan 18 14:15:31 root 218.104.65.210
Jan 18 14:15:35 root 218.104.65.210
Jan 18 14:15:38 root 218.104.65.210
Jan 18 14:15:47 root 218.104.65.210
Jan 18 14:15:57 root 218.104.65.210
Jan 18 14:16:00 root 218.104.65.210
Jan 18 14:16:04 root 218.104.65.210
Jan 18 14:16:50 root 218.104.65.210
Jan 18 14:16:53 root 218.104.65.210
Jan 18 14:16:57 root 218.104.65.210
Jan 18 14:17:01 root 218.104.65.210
Jan 18 14:17:04 root 218.104.65.210
Jan 18 14:17:08 root 218.104.65.210
Jan 18 14:17:12 root 218.104.65.210
Jan 18 14:22:56 root 59.76.81.123
Jan 18 14:32:17 root 220.78.22.250
Jan 18 14:32:21 root 220.78.22.250
Jan 18 14:32:24 root 220.78.22.250
Jan 18 14:32:26 root 220.78.22.250
Jan 18 14:32:29 root 220.78.22.250
Jan 18 14:32:33 root 220.78.22.250
Jan 18 14:32:36 root 220.78.22.250
Jan 18 14:32:39 root 220.78.22.250
Jan 18 14:32:41 root 220.78.22.250
Jan 18 14:32:44 root 220.78.22.250
Jan 18 14:32:47 root 220.78.22.250
Jan 18 14:32:50 root 220.78.22.250
Jan 18 14:32:57 root 220.78.22.250
Jan 18 18:22:35 root 119.111.70.244
Jan 18 18:22:41 root 119.111.70.244
Jan 18 21:31:07 root 209.151.232.70
Jan 18 21:31:09 root 209.151.232.70
Jan 18 21:31:13 root 209.151.232.70
Jan 18 21:31:16 root 209.151.232.70
Jan 18 21:31:19 root 209.151.232.70
Jan 18 21:31:22 root 209.151.232.70
Jan 18 21:31:25 root 209.151.232.70
Jan 18 21:31:28 root 209.151.232.70
Jan 18 21:31:32 root 209.151.232.70
Jan 18 21:31:34 root 209.151.232.70
Jan 18 21:31:38 root 209.151.232.70
Jan 18 21:31:41 root 209.151.232.70

Can you help me how to get the total failed login attempts from each source?
For e.g.

Jan 18 21:31:13 root 209.151.232.70 = 12 attempts

one hint for you you can use awk or sed to get the ip address . Then you can use "uniq" command to find the no of failed attempts .

uniq -c or check the details in man pages.

There are some tools to track failed logins in ssh : denyhosts and fail2ban.
The first one tracks unsuccessful logins in /var/log/auth.log (but you can specify another file) and puts the incriminated IP in /etc/hosts.deny (after a number of tries) you can also specify your own commands to be executed.
It manages a couple of files : user-valid, user-invalid, hosts-valid, hosts-invalid...
Maybe that can be a kind of interest for you.

awk '{a[$NF]++} END {for (i in a) {print i " = " a " attempt(s)"}}' valid-failed-logins.txt
209.151.232.70 = 12 attempt(s)
119.111.70.244 = 2 attempt(s)
220.78.22.250 = 13 attempt(s)
59.76.81.123 = 1 attempt(s)
218.104.65.210 = 19 attempt(s)

Hi rdcwayx,

Wow, its pretty simple but can you explain me the code since i'm new to awk programming:

Thank you.

a[$NF] builds the array on last column, count it. Finally, print array.

Thanks rdcwayx.. but i'm confuse how will I insert the first 3 fields ( date, time, account ) ?

I'm trying to do it but i'm getting incorrect results.

I appreciate much your replies.

To add account is easy. But how to export the date/time? which one will be used, when there are multi account/time for one IP.

Can you help me to export the account and date field instead excluding time field?

Thanks

$ awk '{a[$1 FS $2 FS $4 FS $NF]++} END {for (i in a) {print i " = " a " attempt(s)"}}' valid-failed-logins.txt
Jan 18 root 220.78.22.250 = 13 attempt(s)
Jan 18 root 59.76.81.123 = 1 attempt(s)
Jan 18 root 218.104.65.210 = 19 attempt(s)
Jan 18 root 209.151.232.70 = 12 attempt(s)
Jan 18 root 119.111.70.244 = 2 attempt(s)

rdcwayx,

Thank you. I'm getting closer to the requirement of the script.