script needed

Michael Velez mikev777 at hotmail.com
Fri Aug 5 11:13:06 UTC 2005 

I'd say something like this should work:

#!/bin/bash

IPADDRLIST=`tail -50 /var/log/messages | grep "<line pattern>" | awk '{print
$<ip addr field number>}' | sort | uniq`

for IPADDR in $IPADDRLIST
do
	IPADDRCNT=`tail -50 /var/log/messages | grep "<line pattern>" | grep
-c $IPADDR`

	if [[ $IPADDRCNT -ge 10 ]]
	then
		echo $IPADDR >> /etc/hosts.deny
	fi
done

where <line pattern> is the pattern of the line you're looking for in the
messages file and <ip addr field number> is the field number of the IP
address in the line found, where fields are any group of characters
separated by a white space.

The first grep will give you a list of all IP addresses.  The for loop will
then loop through that list and find the line count number for each IP
address.  If greater than 10, concatenate to the hosts.deny file (NOTE: I've
never used that file so I don't know if pure appending results in the right
format. You may have ot change that part).

Also, the awk may not give you the IP address on its own since I don't know
the format of that line either (you need to check and change if necessary).
If not you may have to add an extra step in the pipe after the awk to just
get the IP address.

In any case, the above should point you in the right direction,
Michael



> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of kmail
> Sent: Friday, August 05, 2005 1:16 AM
> To: redhat-list at redhat.com
> Subject: script needed
> 
> Hello all,
> 
> I need a script to read the last 50 lines for example from 
> the messages log and look for repeated ftp access attempts, 
> then when the number of attempts exceeded 10 or any 
> configurable number, then that ip will be appended to the 
> hosts.deny file, or, something can help preventing that kind of attack
> 
> any idea ?
> 
> Thanks
> 
> 
> 
> ---
> This message has been scanned for viruses and dangerous 
> content by MailScanner and is believed to be clean.
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list