Shell script to block proftp failled attempt

Posted by Saif on Server Fault See other posts from Server Fault or by Saif
Published on 2011-01-07T19:09:55Z Indexed on 2011/01/07 19:55 UTC
Read the original article Hit count: 184

Filed under:
|
|
|

Hello,

I want to filter and block failed attempt to access my proftp server. Here is an example line from the /var/log/secure file:

Jan  2 18:38:25 server1 proftpd[17847]: spy1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded  

There are several lines like this. I would like to block any attempts like this from any IP twice. Here's a script I'm trying to run to block those IPs.

tail -1000 /var/log/secure | awk '/proftpd/ && /Maximum login/ { if (/attempts/) try[$7]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do

    /sbin/iptables -L -n | grep $ip > /dev/null
    if [ $? -eq 0 ] ; then
        # echo "already denied ip: [$ip]" ;
        true
    else
        logger -p authpriv.notice "*** Blocking ProFTPD attempt from: $ip"
        /sbin/iptables -I INPUT -s $ip -j DROP
    fi
done

how can I select the IP with "awk". with the current script it's selecting "(93.218.93.95[93.218.93.95])" this line completely. But i only want to select the IP.

© Server Fault or respective owner

Related posts about shell

Related posts about script