CSF – Check for Attacks through analysis of the LFD logs / messages logs

grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

If you would then like to only output the last ‘x’ number of lines, you can use tail…

grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20

grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20

You are then able to use this to block those IP addresses in your CSF…

for ip in $(grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20 | awk '{print $2}'); do csf -d $ip; done;

for ip in $(grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20 | awk '{print $2}'); do csf -d $ip; done;
Was this article helpful?
Cancel
Thank you!