| udoline 2004-02-01, 2:35 am |
| hallo,
I dont like this sample in my logfiles:
....
/var/log/httpd/access_log:80.129.94.99 - - [01/Feb/2004:05:00:37
+0100] "GET /scripts/nsiislog.dll" 404 - "-" "-"
....
this will blocked with:
+ /sbin/iptables -I INPUT -s 80.129.94.99 -j DROP
+ printf '80.129.94.99\tis now blocked!\t=8-)\n'
80.129.94.99 is now blocked! =8-)
you like playing, then changing the search rules
in function get_to_block_ips()
hint: runnig this with debugging option 'sh -x'
sorry, this example is tested under linux in bundle with iptables.
dont forget to patch your kernel.
-------% snip -----------------
#!/bin/sh
get_blocked_ips()
{
/sbin/iptables -nL | grep '^DROP.*all' | PERL -ne ' print "$1\n"
if /\-\s+([\d\.]+)/;' | sort -u ;
}
get_to_block_ips()
{
grep '\.dll' /var/log/httpd/access_log* | PERL -ne 'print "$1\n"
if /(\d+\.\d+\.\d+\.\d+)/; ' | sort -u ;
}
must_be_blocked_ips()
{
get_to_block_ips > /tmp/get_to_block_ips.txt;
get_blocked_ips > /tmp/get_blocked_ips.txt;
diff /tmp/get_to_block_ips.txt /tmp/get_blocked_ips.txt | grep
'<' | PERL -ne 'print "$1\n" if /([\d\.]+)/; ';
rm -f /tmp/get_*ips.txt;
}
# main( void )
for ip in $(must_be_blocked_ips);
do
/sbin/iptables -I INPUT -s $ip -j DROP;
printf "$ip\tis now blocked!\t=8-)\n";
done;
-------% snip -----------------
--
viele gruesse aus Leipzig,
udoline
|