On 06.12.2009 20:01, Panagiotis Atmatzidis wrote:
> Good evening (it's 8:48 pm here)!

Are you in Greece?  It seems the country is shaken by riots currently. 
I hope, no more people get killed in the course of action.  It's enough 
that a young boy died a year ago.

> True. There is 1 ip per line and some duplicates but there's a catch also. There are some IP's that are captured more than 1 time with the "Ban" flag. Which means that they were captured in a different time. Fail2ban blocks the IP for a couple of minutes in order to avoid the password brute-force which is taking place. After 3 minutes Unbans the ip. So the usual kind of log is this:
> 
> 2009-11-15 15:19:35,222 fail2ban.actions: WARNING [ssh-ipfw] Ban 195.66.191.75
> 2009-11-15 15:29:35,643 fail2ban.actions: WARNING [ssh-ipfw] Unban 195.66.191.75
> 2009-11-16 07:46:59,854 fail2ban.actions: WARNING [ssh-ipfw] Ban 203.172.184.130
> 2009-11-16 07:57:00,085 fail2ban.actions: WARNING [ssh-ipfw] Unban 203.172.184.130
> 
> [*I leave the IP's intact because these are actual SSH attacks and... if the admin don't care for his host, neither do I.]
> 
> So at this point, I need really to display duplicates and maybe issue a bold warning when an IP appears more than 5 times. It means that your host is probably *targeted*.

In that case you probably want to use a Hash for counting like this

ips = Hash.new 0

...
   if ips[ip] += 1 >= 5
     $stderr.puts "WARNING: potential attack from #{ip}!"
   end
...

>> Welcome to the wonderful world of Ruby!
> 
> Thanks!!! THe learning process is for sure much easier than Objective-C, the syntax much more straight forward, but some concepts I'm still struggling to understand them! Thanks for your reply though, it was very enlightening.

You're welcome!

> PS. yes I know I can install SNORT and get over it, but it's much funnier creating your own programs!

Absolutely! :-)

> Oh, this mailing list is *really* good :-)

Thanks a bunch!  This group is among the friendlies places I know for 
exchange of technical thoughts.

Kind regards

	robert

-- 
remember.guy do |as, often| as.you_can - without end
http://blog.rubybestpractices.com/