I want to filter and block failed attempt to access my proftp server. Here is an example line from the /var/log/secure file:
Jan 2 18:38:25 server1 proftpd[17847]: spy1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded
There are several lines like this. I would like to block any attempts like this from any IP twice. Here's a script I'm trying to run to block those IPs.
tail -1000 /var/log/secure | awk '/proftpd/ && /Maximum login/ { if (/attempts/) try[$7]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
logger -p authpriv.notice "*** Blocking ProFTPD attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done
how can I select the IP with "awk". with the current script it's selecting "(93.218.93.95[93.218.93.95])" this line completely. But i only want to select the IP.
You could also look at something like Fail2Ban which does have example setups for ProFTPd.
If you're using GNU awk (
gawk) you can use a regex for the field separator.