Get every IP address that has logged into your system

January 17, 1970

List every host that attempted to connect

zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/\1/' | sort -u
Command breakdown
  • zgrep sshd /var/log/auth.log*: Search for sshd in every auth.log file. Even the .gz ones.
  • grep rhost: Filter out the lines that do not contain the remote host information.
  • sed -re 's/.\*rhost=([^ ]+).\*/\1/': Search for the rhost=xxxxxx expression and capture it.
  • sort -u: Only show unique elements.

From here you can tweak it a little to suit your needs.

List successful logins

zgrep sshd /var/log/auth.log* | grep Accepted | sed -re 's/.*from ([^ ]+).*/\1/' | sort -u

List failed logins

zgrep sshd /var/log/auth.log* | grep failure | grep rhost | sed -re 's/.*rhost=([^ ]+).*/\1/' | sort -u

List failed logins with number of occurrences

zgrep sshd /var/log/auth.log* | grep failure | grep rhost | sed -re 's/.*rhost=([^ ]+).*/\1/' | uniq -c | sort -nr