AWK: подсчет банов от Fail2Ban

Скрипт на AWK для подсчета количества уведомлений о бане ip адреса Fail2Ban’ом. Файл fail2ban_gmail.awk: function ip2n(ip) { split(ip,a,".") return a[1]*(256^3)+a[2]*(256^2)+a[3]*256+a[4]; } function n2ip(n) { return int(n/256^3)"."int(n%256^3/256^2)"."int(n%256^2/256)"."int(n%256); } /^[\[]?Fail2Ban/ { if (substr($1,1,1) == "[") { ip = ip2n($4) data[ip] = data[ip] + count } else { where = match($0, /\([0-9]+\)/) if (0 == where) { count = 1 } else { count = substr($0, where+1, index($0,")")-where-1) } } } /fail2ban\.actions/ { print $6 if ($6 == "Ban") { ip = ip2n($7) data[ip] = data[ip] + 1 } } END { n = asorti(data, dest) for (i = 1; i<=n; i++) { print n2ip(dest[i]), " - ", data[dest[i]] } } Пример входных данных (скопировано из веб-интерфейса GMail-почты как текст):
Fail2Ban
	
[Fail2Ban] SSH: banned 211.172.247.41 - Hi, The IP 211.172.247.41 has just been banned by Fail2Ban after 5 attempts against SSH. Here are
	 	13:24
	
	Не помечено	
	
Fail2Ban (2)
	
[Fail2Ban] SSH: banned 211.172.246.115 - Hi, The IP 211.172.246.115 has just been banned by Fail2Ban after 5 attempts against SSH. Here are
	 	13:20
	
	Не помечено	
	
Fail2Ban, я (3)
	
[Fail2Ban] SSH: banned 182.162.136.99 -  Forwarded message From: Fail2Ban  Date: 2012/12/10
	 	13:06
	
	Не помечено	
	
Fail2Ban
	
[Fail2Ban] SSH: banned 222.234.0.52 - Hi, The IP 222.234.0.52 has just been banned by Fail2Ban after 5 attempts against SSH. Here are more
	 	13:04
	
	Не помечено	
	
Fail2Ban (2)
	
[Fail2Ban] SSH: banned 211.172.247.205 - Hi, The IP 211.172.247.205 has just been banned by Fail2Ban after 5 attempts against SSH. Here are
	 	12:54
	
	Не помечено	
	
Fail2Ban, я (3)
	
[Fail2Ban] SSH: banned 211.172.247.41 -  Forwarded message From: Fail2Ban  Date: 2012/12/10
	 	12:52
	
	Не помечено	
	
Fail2Ban
	
[Fail2Ban] SSH: banned 189.254.67.74 - Hi, The IP 189.254.67.74 has just been banned by Fail2Ban after 5 attempts against SSH. Here are more
	 	9 дек.
	
	Не помечено
...	
или стандартный лог Fail2Ban:
2012-11-21 00:08:08,206 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2012-11-21 00:08:08,207 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2012-11-21 00:08:08,207 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
2012-11-21 00:08:08,208 fail2ban.filter : INFO   Added logfile = /var/log/secure
2012-11-21 00:08:08,208 fail2ban.filter : INFO   Set maxRetry = 5
2012-11-21 00:08:08,210 fail2ban.filter : INFO   Set findtime = 600
2012-11-21 00:08:08,210 fail2ban.actions: INFO   Set banTime = 600
2012-11-21 00:08:08,228 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2012-11-21 01:37:40,328 fail2ban.actions: WARNING [ssh-iptables] Ban 183.129.160.244
2012-11-21 01:47:41,166 fail2ban.actions: WARNING [ssh-iptables] Unban 183.129.160.244
2012-11-21 01:55:18,328 fail2ban.actions: WARNING [ssh-iptables] Ban 64.34.93.165
2012-11-21 02:05:19,286 fail2ban.actions: WARNING [ssh-iptables] Unban 64.34.93.165
2012-11-21 04:27:46,946 fail2ban.actions: WARNING [ssh-iptables] Ban 211.138.85.158
2012-11-21 04:37:47,942 fail2ban.actions: WARNING [ssh-iptables] Unban 211.138.85.158
2012-11-21 16:59:32,598 fail2ban.actions: WARNING [ssh-iptables] Ban 58.64.141.228
2012-11-21 17:09:32,603 fail2ban.actions: WARNING [ssh-iptables] Unban 58.64.141.228
2012-11-21 20:34:58,585 fail2ban.actions: WARNING [ssh-iptables] Ban 50.112.161.151
2012-11-21 20:44:58,587 fail2ban.actions: WARNING [ssh-iptables] Unban 50.112.161.151
2012-11-22 04:42:31,771 fail2ban.actions: WARNING [ssh-iptables] Ban 66.252.151.170
2012-11-22 04:52:32,698 fail2ban.actions: WARNING [ssh-iptables] Unban 66.252.151.170
...
В результате получим, что-то похожее (ip – кол-во банов):
...
222.234.0.52  -  2
27.121.42.83  -  1
42.117.2.37  -  1
42.121.108.137  -  2
46.211.220.128  -  3
50.112.161.151  -  1
5.175.192.87  -  5
5.175.207.7  -  6
58.18.172.104  -  1
58.27.95.15  -  1
58.64.141.228  -  1
58.97.41.197  -  1
...

Leave a Reply

Your email address will not be published. Required fields are marked *