Well you were right about sed. Not something I could do with sed. I wound up using awk, and temporarily putting the addresses in a separate file until I feel comfortable it won't jack up my firewall.

#!/bin/sh

# list of ip address to allow always MYIP=yyy.yyy.yyy.yyy MYIP2=xxx.xxx.xxx.xxx

# name of logfile to scan - need to variablize so I can call it with an alternate # logfile and default to this lfl=/var/log/auth.log

# ugly all on one line, but it works cat $lfl | grep -i failed\ password | awk '{ print $11 }' |uniq | grep -v $MYIP | grep -v $MYIP2 >> /etc/illegalips.txt

# still to do add commands to extract ips from above file # and add to actual blacklist and call firewall restart

-----Original Message----- From: Jeremy Turner

...

So I guess it's time to pull out the sed pocket reference I have and learn something in there to help.

Nah... you're crying out for Perl =)

#--------------------------------------------------------------- #!/usr/bin/perl

$my_ip = "192.168.0.1"; %seen = ();

# get input from stdin while (<>) {

    # illegal = no username
    # failed  = wrong password
    if (/Failed/ || /Illegal/) {

            # match an ip address
            /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;

            if ($my_ip !~ $1) {
                    $seen{$1}++;
            }
    }

} @ips = sort keys %seen; foreach (@ips) { print "$_\n"; } #-----------------------------------------------------------

The "Failed" and "Illegal" words are lines you would check to contain IP addresses. The hash table is to knock out duplicate IP addresses.

Jeremy

-- Jeremy Turner jeremy@linuxwebguy.com Linux Tips and News! ---> http://linuxwebguy.com

---

Kclug mailing list Kclug@kclug.org http://kclug.org/mailman/listinfo/kclug