I wrote few scripts that pulls the information from the logs. The logs get rotated and the scripts will not help with old incidents.
This one will pull all IPs that accessed the server
sudo cat /var/log/httpd/access_log | awk ‘{print $1}’ | sort -n | uniq | sort -nr | head -20
This one will pull the IPs that get denied
sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ’ '| sed ‘s/.{7}$//’ | sort | uniq | sort -nr | more
sudo cat /var/log/secure | grep “Failed password” | grep -E -o “([0-9]{1,3}[.]){3}[0-9]{1,3}” | cut -f 11 -d ’ '| sort | uniq | tr ‘\n’ ’ ’ | sort -nr
sudo cat /var/log/secure | grep “authentication failures” |cut -f 16 -d ’ ’ |cut -f 2 -d = | sort | uniq | tr ‘\n’ ’ ’ | sort -nr
This one will pull the IPs for the endpoints that registered to your server
sudo cat /var/log/asterisk/full | grep “@” | grep -E -o “([0-9]{1,3}[.]){3}[0-9]{1,3}” | sort | uniq | sort -nr
This is how I put them to work. If there is an unusual activity I get an email and I act on it.
logwatch is another way to look at who accessed your server and from where