CSF - Check for Attacks through analysis of the LFD logs / messages logs

269ac00f765508cb74b25d006dbf5bb2

Written by Dennis Nind

Last published at: May 29th, 2019
grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


If you would then like to only output the last 'x' number of lines, you can use tail...

grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20
grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20


You are then able to use this to block those IP addresses in your CSF...

for ip in $(grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20 | awk '{print $2}'); do csf -d $ip; done;
for ip in $(grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20 | awk '{print $2}'); do csf -d $ip; done;