moyorakkhi |
01-07-2011 01:30 PM |
Basic shell script question
0 down vote favorite
Hello,
I want to filter and block failed attempt to access my proftp server. Here are few line from the /var/log/secure file:
Quote:
Jan 2 18:38:25 server1 proftpd[17847]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded
Jan 2 18:38:27 server1 proftpd[17864]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - USER admin (Login failed): Incorrect password.
Jan 2 18:38:29 server1 proftpd[17864]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded
Jan 2 18:38:31 server1 proftpd[17874]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - USER admin (Login failed): Incorrect password.
Jan 2 18:38:34 server1 proftpd[17874]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded
|
There are several lines like this. I would like to block any attempts like this from any IP twice. Here's a script i'm trying to run to block those IPs.
Quote:
#!/bin/sh
# scan /var/log/secure for proftpd attempts
# use iptables to block the bad guys
# Looking for attempts on existing and non-existing users.
tail -1000 /var/log/secure | awk '/proftpd/ && /Maximum login/ { if (/attempts/) try[$7]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
# echo "Subject: denying ip: $ip" | /usr/sbin/sendmail admin@XYZ.com
logger -p authpriv.notice "*** Blocking ProFTPD attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done
|
how can I select the IP with "awk". with the current script it's selecting "(93.218.93.95[93.218.93.95])" this line completely. But i only want to select the IP so that iptable can drop request from that ip.
Thanks in advance!
|