Tired of those large ssh and apache logfiles? Try the following scripts I made. The scripts were written with FreeBSD in mind and can probably improved in a few areas. I'm thinking about converting these scripts to a c++ program some day.

monitor-auth-log:

#!/usr/local/bin/gawk -f BEGIN { bantime = 30 verbose = 1 exempt_clients_string = "192.168.9.|82.169.210.180" split(exempt_clients_string, exempt_clients, "|") } { if(index($0, "Failed password ") > 0) { client = substr($0, index($0, "from ") + 5) client = substr(client, 1, index(client, " ") - 1) } else { client = "" } exempt = 0; for(testclient in exempt_clients) { if(index(client, exempt_clients[testclient]) == 1) { if(verbose != 0) print "Exempting entry, matched against " exempt_clients[testclient] exempt = 1; } } if(length(client) > 0 && exempt == 0) { if (client "_0" in clients) { if(verbose != 0) print "Increasing hitcount for " client clients[client "_0"] += 1 clients[client "_1"] = systime() } else { if(verbose != 0) print "Adding " client " to monitored list" clients[client "_0"] = 1 clients[client "_1"] = systime() } if(clients[client "_0"] == 5) system("ipfw table 1 add " client); else if(verbose !=0) print "no action needed [" clients[client "_0"] "]" } for(lookup in clients) if(index(lookup, "_1") > 0) { lookup = substr(lookup, 1, index(lookup, "_1") - 1) if(systime() - clients[lookup "_1"] > bantime) { system("ipfw table 1 delete " lookup) if(clients[lookup "_0"] > 4) { delete clients[lookup "_0"] delete clients[lookup "_1"] } } } }

monitor-apache-log:

#!/usr/local/bin/gawk -f BEGIN { bantime = 5 verbose = 1 exempt_clients_string = "192.168.9.|82.169.210.180" split(exempt_clients_string, exempt_clients, "|") } { client = substr($0, 44) client = substr(client, 1, index(client, "]") - 1) exempt = 0; for(testclient in exempt_clients) { if(index(client, exempt_clients[testclient]) == 1) { if(verbose != 0) print "Exempting entry, matched against " exempt_clients[testclient] exempt = 1; } } if(length(client) > 0 && exempt == 0) { if (client "_0" in clients) { if(verbose != 0) print "Increasing hitcount for " client clients[client "_0"] += 1 clients[client "_1"] = systime() } else { if(verbose != 0) print "Adding " client " to monitored list" clients[client "_0"] = 1 clients[client "_1"] = systime() } if(clients[client "_0"] == 5) system("ipfw table 1 add " client); else if(verbose !=0) print "no action needed [" clients[client "_0"] "]" } for(lookup in clients) if(index(lookup, "_1") > 0) { lookup = substr(lookup, 1, index(lookup, "_1") - 1) if(systime() - clients[lookup "_1"] > bantime) { system("ipfw table 1 delete " lookup) if(clients[lookup "_0"] > 4) { delete clients[lookup "_0"] delete clients[lookup "_1"] } } } }

Interrested in supplying feedback to these scripts? Send an e-mail to niks at wcclan dot net. Ideas / suggestions are also welcome.