I am in the process of locking down one of my Linux servers through dynamic iptables usage. Currently I have my sshd covered from brute-force attacking via a special block.pl script (link available below), but now I found that script kiddies are now attempting to get through via my ftp port (currently running ProFTPD).
Block.pl script (the one for sshd) can be found here: http://shellscripts.org/projects/s/sshblock/version_1.2/block.pl
Though I am using I am using ProFTPD and I know I could modify the proftpd.conf to give a more subtle log file via LogFormat, I would rather like to have a converted script (like the one I use for the sshd) checking the /var/log/messages file as well.
I have absolutely no Perl scripting/programming knowledge, thus the question is being asked here...
Need to convert the following string:
May 17 00:59:37 servername proftpd: server.domain.com (192.168.1.15[192.168.1.15
]) - no such user 'blah'
The perl script already has a way to look at sshd attack/attempts in the following manner:
if (/sshd.*(Failed password for|Invalid user) (\w+) from (?:::ffff:)?([0-9]+\.[0-9]
Anyone have a guess on what I need to have to read the /var/log/messages file then look for the "no such user" string given, then extract the IP address from the [ ] field and place it into a variable that can be added to the iptables rule in the rest of the script?