Well you were right about sed. Not something I could do with sed. I wound up using awk, and temporarily putting the addresses in a separate file until I feel comfortable it won't jack up my firewall.
#!/bin/sh
# list of ip address to allow always MYIP=yyy.yyy.yyy.yyy MYIP2=xxx.xxx.xxx.xxx
# name of logfile to scan - need to variablize so I can call it with an alternate # logfile and default to this lfl=/var/log/auth.log
# ugly all on one line, but it works cat $lfl | grep -i failed\ password | awk '{ print $11 }' |uniq | grep -v $MYIP | grep -v $MYIP2 >> /etc/illegalips.txt
# still to do add commands to extract ips from above file # and add to actual blacklist and call firewall restart
-----Original Message----- From: Jeremy Turner
So I guess it's time to pull out the sed pocket reference I have and learn something in there to help.
Nah... you're crying out for Perl =)
#--------------------------------------------------------------- #!/usr/bin/perl
$my_ip = "192.168.0.1"; %seen = ();
# get input from stdin while (<>) {
# illegal = no username # failed = wrong password if (/Failed/ || /Illegal/) { # match an ip address /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/; if ($my_ip !~ $1) { $seen{$1}++; } }} @ips = sort keys %seen; foreach (@ips) { print "$_\n"; } #-----------------------------------------------------------
The "Failed" and "Illegal" words are lines you would check to contain IP addresses. The hash table is to knock out duplicate IP addresses.
Jeremy
-- Jeremy Turner [email protected] Linux Tips and News! ---> http://linuxwebguy.com
Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug