Plot successfull logins with gnuplot

#!/bin/sh
# Erfolgreiche Logins plotten
cat tmp.all.hydraout5 | grep -v "^# Hydra" | grep -v 10.135.88.177 | sort -n | uniq > tmp.sshscan
cat tmp.sshscan | awk '{print $3 " " $5":"$7}' > tmp.sshlogin
cat tmp.sshlogin | awk '{print $1}' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq | nl > tmp.ips
cat tmp.sshlogin | awk '{print $2}' | sort -n | uniq | nl > tmp.lo
cat tmp.ips | awk '{print "s/"$2"\\ /"$1"\\ "$2"\\ /g"}' > tmp.repl.ips
cat tmp.lo | awk '{print "s/\\ "$2"/\\ "$1"\\ "$2"/g"}' > tmp.repl.lo
cat tmp.sshlogin | sed -f tmp.repl.ips > tmp.sshlogin2
cat tmp.sshlogin2 | sed -f tmp.repl.lo > tmp.sshlogin3
gnuplot ip_vs_login.gnuplot

rm tmp.sshlogin2 tmp.sshlogin3 tmp.ips tmp.lo tmp.repl.ips tmp.repl.lo tmp.sshlogin tmp.sshscan

10.135.88.177 is a ILOM interface which accepts every login at the first place and presents proprietary login mask afterwards.

ip_vs_login.gnuplot

set terminal png large size 9000,14000
set border 0
set xtics nomirror
set ytics nomirror
set xtic rotate by 90
set xlabel 'successfull login:password-combinations'
set ylabel 'IPs in 10.135 net with successfull ssh-, telnet- or cifs-logins'
set output "ip-succssh.png"
plot "tmp.sshlogin3" using 3:1:xticlabel(4):yticlabel(2)

Depending on the number of successfull logins, you have to adjust the pixel size in the first line.

tmp.all.hydraout5

[22][ssh] host: 10.128.89.21   login: chef password: chef
[22][ssh] host: 10.128.89.21   login: offen   password: offen
[22][ssh] host: 10.128.89.21   login: root   password: sonne
[22][ssh] host: 10.128.89.29   login: chef password: chef
[22][ssh] host: 10.128.90.12   login: birne   password: Stanislav
[22][ssh] host: 10.128.90.12   login: artestpc6   password: 99adm
[22][ssh] host: 10.128.90.12   login: axadm   password: Stanislav
[22][ssh] host: 10.128.90.12   login: axadm_pc6   password: 99adm
[22][ssh] host: 10.128.90.12   login: axroot   password: Stanislav
[22][ssh] host: 10.128.90.12   login: axu6user   password: Stanislav
...