Accounts attacked I have run two commands below. I find some of the accounts attack as below. I do not have the account test,teste,oracle and admin in my home directory. As there system account. How to know which are ...--prophetes.ai

Accounts attacked I have run two commands below. I find some of the accounts attack as below. I do not have the account test,teste,oracle and admin in my home directory. As there system account. How to know which are valid and in-valid accounts. lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5 5898 root 196 test 164 oracle 154 teste 86 admin [root@localhost ~]# awk 'gsub(".sshd.Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5 13835 root 386 test 185 oracle 146 admin 131 nagios

These are just automated bot attacks and not unusual for any internet exposed system. To get a list of users you can use `getent` in CentOS:

getent passwd | awk -F':' '{ print $1 }'

To put it together with what you already have:

while read -r count user; do
printf '%s %s ' "$user" "$count"
if getent passwd | grep -q "^$user:"; then
printf 'valid\
'
else
printf 'invalid\
'
fi
done < <(awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5)