Hey, I want to create a simple bash script that will grep my ip.log for any IP that occurs more than 5 times. But there is a catch, I also want to be able to have it ignore specified IP addresses, namely my ISP Road Runner.

Anyhow after it greps any IP that occurs more than 5 times it will then cat that into a log then mail the log to me and issue the ifdown eth0 command.

It's a desktop security measure I am considering for Linux users that are on cable modem but not always around to monitor the system.

Can this be done in a bash script? Or should I get a pearl book and try it there. Also if I can use bash then could a bash guru lend a suggestion?

Thanks, my bash scripting is limited and weak, but getting better!

------------------
The Dragon is swift and powerful. Beware his wrath...
Honor your family and yourself. Speak not out of passion but out of wisdom and temper the fires of war that reside in you, and you shall then reach your full measure as a man of Honor, Courage and Integrity.
http://www.angelfire.com/wa2/MkIIISupra/ (http://www.angelfire.com/wa2/MkIIISupra)

Perl might be the better choice. It's a bit easier to work with in terms of pattern matching and files than bash is.

At least in my opinion... But i've been working with Perl for 3 years vs. 6 months of bash. http://www.linuxnewbie.org/ubb/smile.gif

i would go with perl. i just recently wrote a ipflog (bsd) log analyzer that does something similar.. and if you want some scan detection and automated blocking of suspicious ips.. i would really look at portsentry @ www.psionic.com (http://www.psionic.com)

GREAT prog and has compiled on everything i can get my hands on (bsd/linux/solaris) and has options for external commands and mailing and all that jazz.


::chris::

good luck

I use the following:
1- PortSentry
2- FakeBo
3- My own ipchains firewall (NOTHING IN OR OUT BUT MAIL AND INTERNET...)
4- Firestarter (so I can ICQ...)
5- Hashed inted.conf
6- iplog
7- /etc/hosts.deny ALL: ALL : DENY

Basically I want the system to protect itself even better. In reallity what I would like to build is a counte-offensive utility that after 20 or so attempts to connect a reverse port scan is run on the individual then the details grepped and the offensive system id'd from there another function would take the info and use that to select the appropriate utilities to commence an attack on the attacker.

An Aegis shield basically. But until I learn more about how networks are set-up and how attacks are conducted I want to keep it simple where the system will drop itself off-line as a defensive measure. Especially when I am not home. This is mostly for when I take off for travel (military ****) and the wife is home alone.


------------------
The Dragon is swift and powerful. Beware his wrath...
Honor your family and yourself. Speak not out of passion but out of wisdom and temper the fires of war that reside in you, and you shall then reach your full measure as a man of Honor, Courage and Integrity.
http://www.angelfire.com/wa2/MkIIISupra/ (http://www.angelfire.com/wa2/MkIIISupra)

ok, i'm going to try and freehand this.

i'm going to assume you are looking for one ip per line. this CAN be adjusted to do more than one ip per line, but i'm guessing in the logs you are considering, each line is going to be some kind of event, and you only need one instance of the ip off that line. this could be easily modified to find an ip on a line that has some particular event happening as well (like, pull ips off lines that also include the text "Port Number: 31337" or something.

#!/usr/local/bin/perl -w
#
#
#Copyright (C) 2001 YaRness
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#(possibly found at http://www.gnu.org/copyleft/gpl.html)
#
#i'm going to leave this so it only takes
#STDIN input, because i'm lazy. so
#you'd run it like "cat file|script" or
#"./script < file" etc. if someone
#wants to add to it, go for it. maybe i will
#later
#also gonna hardcode a config file that
#will contain IPs you want to skip
#(called "goodIPlist")
#
use strict;
#
#here we'll store IPs to skip over
my $goodIPs = "";
#
open (SKIPFILE, "goodIPlist") or die "$0 couldn't open goodIPlist, stopped";
#
#assumes the file contains one ip address per line
while (<SKIPFILE> )
{
if (/((?:[0-9]{1,3}\.){3}(?:[0-9]{1,3}))/)
{
$goodIPs .= "$1 ";
}
}
close SKIPFILE or die "$0 couldn't close goodIPlist, stopped";
#
#here we will store IPs found, and tally how
#many times they are found
my %foundIPhash;
while (<STDIN> )
{
if (/((?:[0-9]{1,3}\.){3}(?:[0-9]{1,3}))/)
{
#if the IP is NOT in the good IP list, flag it
if (not $goodIPs =~ /$1/)
{
$foundIPhash{"$1"} += 1;
}
}
}
#
#now we search for ones with more than 5 hits
foreach (keys %foundIPhash)
{
if ($foundIPhash{"$_"} > 5)
{
#here's where you put stuff to do with the
#culprit IP address
print "Found an abuser! IP: $_\n";
}
}


ok so i actualy DID test that.. only had to correct two typos and the darn thing actually worked. i tested it ("perl mk.pl < log") on a file that looks like this:

blah 199.111.66.666
111.222.333.444
199.111.66.666 blah
199.111.66.666
199.111.66.666 blah
33.344.455.54
yar 199.111.66.666
199.111.66.666 blah
127.0.0.1

127.0.0.1
foo 127.0.0.1
127.0.0.1
127.0.0.1


and it returned

Found an abuser! IP: 199.111.66.666


hope this helps!

if you need help modifying this to do other stuff, or incorporating it in other scripts, feel free to holler. lots of us helpful, bored folks here.

i'l prolly edit this post in a minute, comment some stuff.

<edit> done. GPL'd it for ****s and giggles.
--------------------
"Assembly of Japanese bicycle require great peace of mind."
Registered Linux User #188285 http://counter.li.org/

[This message has been edited by YaRness (edited 20 January 2001).]

Many thanks! I will read it and learn then set the variables and run it! You da bomb!!

------------------
The Dragon is swift and powerful. Beware his wrath...
Honor your family and yourself. Speak not out of passion but out of wisdom and temper the fires of war that reside in you, and you shall then reach your full measure as a man of Honor, Courage and Integrity.
http://www.angelfire.com/wa2/MkIIISupra/ (http://www.angelfire.com/wa2/MkIIISupra)

You could try making a copy of the file, and then going through the copy and removing the specified ip's. That shouldn't be too hard.

Here is an actual excerpt from my ip.log and this is the norm. Also the reason I want a script to do the search for me! What you see below is my ISP. I contacted them and asked if they could stop. Answer...no.


Jan 5 21:42:11 iplog started.
Jan 5 21:42:14 UDP: dgram to port 1024 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:42:14 UDP: dgram to port 1025 from ns1.san.rr.com:53 (156 data bytes)
Jan 5 21:43:06 Warning: interface eth0 went down.
Jan 5 21:43:10 Caught signal 15, exiting.
Jan 5 21:44:08 iplog started.
Jan 5 21:44:09 UDP: dgram to port 1024 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:44:09 UDP: dgram to port 1025 from ns1.san.rr.com:53 (156 data bytes)
Jan 5 21:44:09 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:44:52 last message repeated 3 times
Jan 5 21:44:52 UDP: dgram to port 1025 from ns1.san.rr.com:53 (127 data bytes)
Jan 5 21:45:53 UDP: dgram to port 1025 from ns1.san.rr.com:53 (384 data bytes)
Jan 5 21:46:47 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:47:47 last message repeated 5 times
Jan 5 21:47:47 last message repeated 1 times
Jan 5 21:47:47 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:48:09 UDP: dgram to port 1025 from ns1.san.rr.com:53 (251 data bytes)
Jan 5 21:49:12 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:51:11 last message repeated 5 times
Jan 5 21:53:13 last message repeated 1 times
Jan 5 21:53:13 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:56:19 last message repeated 3 times
Jan 5 21:56:54 last message repeated 1 times
Jan 5 21:56:54 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 21:58:01 last message repeated 3 times
Jan 5 21:58:01 UDP: dgram to port 1025 from ns1.san.rr.com:53 (384 data bytes)
Jan 5 21:59:25 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 22:04:32 last message repeated 1 times
Jan 5 22:04:33 last message repeated 1 times
Jan 5 22:04:33 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 22:06:09 last message repeated 4 times
Jan 5 22:09:19 last message repeated 1 times
Jan 5 22:09:19 UDP: dgram to port 1025 from ns1.san.rr.com:53 (149 data bytes)
Jan 5 22:10:54 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 22:12:22 last message repeated 3 times
Jan 5 22:12:23 last message repeated 1 times
Jan 5 22:12:23 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 22:14:04 UDP: dgram to port 1025 from ns1.san.rr.com:53 (149 data bytes)
Jan 5 22:15:45 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 22:17:55 last message repeated 1 times
Jan 5 22:17:55 last message repeated 1 times
Jan 5 22:17:55 UDP: dgram to port 1025 from ns1.san.rr.com:53 (131 data bytes)
Jan 5 22:19:20 last message repeated 1 times

------------------
The Dragon is swift and powerful. Beware his wrath...
Honor your family and yourself. Speak not out of passion but out of wisdom and temper the fires of war that reside in you, and you shall then reach your full measure as a man of Honor, Courage and Integrity.
http://www.angelfire.com/wa2/MkIIISupra/ (http://www.angelfire.com/wa2/MkIIISupra)

I meant having the script do it. Grep will remove any line from a file that contains a certain string, won't it?

Originally posted by f'lar:
I meant having the script do it. Grep will remove any line from a file that contains a certain string, won't it?

my script kinda does that... grep is good for finding stuff in a file, but you need something more to actually do something with that data other than print it.

i didn't comment that script much.. i prolly should, but what it does is this: it first generates a list of "good" IPs. it then runs through the file, and for each line it checks for an IP address. if it finds one, it either starts a new tally at 1 for that IP, or it increments an already existing tally for that IP. when its done reading the file, it then goes through these tallies, and if any IP has a tally higher than 5, and it is NOT one of the "good" ips, then it prints a message (could also do anything else you wanted it to at that point... email a warning, start another script, ad infinitum).

------------------
"Assembly of Japanese bicycle require great peace of mind."
Registered Linux User #188285 http://counter.li.org/

Uh call me stupid but how do I compile and run the script? I don't knwo Pearl yet...

------------------
The Dragon is swift and powerful. Beware his wrath...
Honor your family and yourself. Speak not out of passion but out of wisdom and temper the fires of war that reside in you, and you shall then reach your full measure as a man of Honor, Courage and Integrity.
http://www.angelfire.com/wa2/MkIIISupra/ (http://www.angelfire.com/wa2/MkIIISupra)

You don't need to. Perl is interpreted. If the script in question is in your path and executable, just entering its name will work. If not, you can tell perl to do it.
Paul

run it like a bash script. save it to a file, chmod 700 it (or 711, or whatever), and run it. you may have to change the shebang line (#!/usr/local/bin/perl -w) to /usr/bin or something to reflect your system, but aside from that just run it.

or, save it to a file, and do "perl filename".

err, i think pdc just said that, didn't read his post first http://www.linuxnewbie.org/ubb/redface.gif

------------------
"Assembly of Japanese bicycle require great peace of mind."
Registered Linux User #188285 http://counter.li.org/