By the way, anyone have a take on what kind of performance hit this will take on a server? So far I have 22 addresses or address ranges blocked in my blacklist. And is there a better way? Most of the attempts have been to try to gain root access via ssh, which root isn't allowed to ssh anyway, so this would always fail. Some are for non-existent users.
Brian Densmore
-----Original Message----- From: Brian Densmore
Well you were right about sed. Not something I could do with sed. I wound up using awk, and temporarily putting the addresses in a separate file until I feel comfortable it won't jack up my firewall.
#!/bin/sh
# list of ip address to allow always MYIP=yyy.yyy.yyy.yyy MYIP2=xxx.xxx.xxx.xxx
# name of logfile to scan - need to variablize so I can call it with an alternate # logfile and default to this lfl=/var/log/auth.log
# ugly all on one line, but it works cat $lfl | grep -i failed\ password | awk '{ print $11 }' |uniq | grep -v $MYIP | grep -v $MYIP2 >> /etc/illegalips.txt
# still to do add commands to extract ips from above file # and add to actual blacklist and call firewall restart
Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug