Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
There is less than 24 hours left to vote in the 2015 LinuxQuestions.org Members Choice Awards. Click here to go to the polls. Vote now and make sure your voice is heard!
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
What are you ultimately trying to do? Somehow I get the feeling you want to take the next step with is auto-blocking of such events. If so, fail2ban might be what you are looking for. But there still may be other solutions too.
Ultimately, I want to add the offending IP to hosts.deny. I would love to just use a ready made utility, but I cannot on this particular device. It has to be a script that is run via cron that monitors and then simply puts the IP in hosts.deny. It cannot be a daemon or any other running service. That being the case, got any suggestions of how to go about such a script or know of anywhere I can find such info? The OS is SLES 9 version 3. Thank You.
I checked out fail2ban, but it's not quite what I'm looking for. I don't want to permanently ban the IP's, just temporarily deny them until they can be looked into. I cannot add any additional rpm's on the device, it's locked down that way. The solution I'm looking for is via a script, the help I'm requesting is how to format that script, or what syntax to use, or perhaps even a pointer in where to find similar scripts or examples. Any such information or tips would be greatly appreciated. I have go the rest of the script figured out, except for how to get a variable with the offending IP in it, and only the offending IP. Thank You.
calipryss, it is difficult to help when requirements and restrictions are withheld, and only come out piece by piece. It wastes peoples time. I sensed correctly that you actually wanted sometime different that you asked.
For the future, please provide a clearly stated goal, and as many of your requirements as possible.
Like chrism01, I wonder about your distinction between "script" and "daemon or services". These are two separate concepts: one a language, the other a mode of operation.
I'm still trying to figure out if you will be able to modify the hosts.deny file, since you [don't have rights/aren't allowed] to install anything on the machine.. which is it ? modifying the hosts.deny file requires root privileges.
Let me clarify. Although I have root privileges, I cannot run any app's per our agreement with a vendor who supplied this device. I can create scripts run by cron. I'm not withholding requirements but I don't feel a need to get into the nitty gritty details when in the end, I'm asking specifically about a script to do what I reflected in my original emails. I appreciate your alternative suggestions, but that wasn't my question.
For those of you that are trying to help me accomplish this script - thank you. For those of you that are more interested in changing or challenging my approach, don't bother responding as a script is the only solution I can implement.
To further clarify, this script would not be continuously running as any daemon, it would run via cron maybe every 15 minutes or something to that affect. It's a gray area, I recognize that and trust me, I realize that in the end, it's essentially the same concept but as long as it's not a daemon, I can implement it.
That's fine. But please understand when you ask for other peoples time, for free, you must do more upfront legwork and spend time to be as clear as possible.
Your requirements are still lacking:
How are previous log reads managed? Does the script need to manage and maintain state? Or does the script simply re-read the entire log and resend previously sent alerts?
You say "shell script". Does that mean it must all be shell? Which shell? Other scripting languages make the job much faster and far easier (awk, perl). Can those be used? If you have to call external utilities for each line of a large log file, this is very expensive, and very slow. Compare:
$ wc /var/log/somelog
50363 856414 8961876 /var/log/somelog
$ time while read line; do (( i++)) ; done < /var/log/somelog
$ time while read line; do /bin/echo > /dev/null ; done < /var/log/somelog
That was 50000+ processes created.
I have a partially written perl script if you want that.
Thank you for your response. I finally figured it out today. I wrote a script that gets the last five minutes worth of log data and greps for any refusals. The output of that is basically two fields, time and ip of which I then took a count of times the ip was refused and compared that to a threshold I had already specified. If the count is greater than my threshold, I send myself an email and put the ip in hosts.deny for all protocols. The time was a little tricky with how the application (that creates the log) posts time in the file.
As far as expense is concerned, I dummied up a file and ran it a few times and with how powerful this device is and how little CPU, Memory, etc it uses, the expense was at the utmost minimal.
While I understand the nature of forum is to provide free help and assistance, I had only intended on asking my original question: how to get a script to read a log file and obtain an ip for any IP getting refused more than five times in five minutes. If I post again in the future, I will be more clear as to the specifics as well as try to be more clear with my goal so the post stays on track. I appreciate your feedback and in the future, if I have scripting questions I will post more accurately, maybe in the programming forum?
To answer your question - it's a bash shell. If you're interested I can post the script. I'm sure it's very novice, but in learning something new, you have to start somewhere right?
Because so many questions in forums do not represent the underlying goal, and instead focus on implementation specifics, there are occasional "false positives" in the assumption that there is a yet a larger, more fundamental problem.