我正在使用python编写代码。此代码将打开auth.log文件,并计算IP登录失败的次数。如果同一个IP连接失败30次以上,它将被添加到blacklist.txt。
我的代码工作正常。它检测到两次登录失败的IP地址。但是,它应该是三个IP地址而不是两个。为什么不能检测到第三个IP?
with open('auth.log') as failed_authlog: # Open log file as f_authlog
authlog = failed_authlog.read() # for counting failed IPs
ip_addresses = Counter(re.findall(r'authentication failure.*?rhost=([0-9.]*)\s', authlog)) # read for failed log in attempts
with open('blacklist.txt', 'w') as failed_blocked: # create blacklist for IP addresses
for ip_address, count in ip_addresses.items(): # which after counting
if count >= 30: # occured 30 or more times in the log file
failed_blocked.write('\n' + '{}\n'.format(ip_address) +'-' + str(count))
相关auth.log条目的示例:
Feb 3 08:35:27 j4-be02 sshd[32744]: reverse mapping checking getaddrinfo for reserve.cableplus.com.cn [211.167.103.172] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 3 08:35:27 j4-be02 sshd[32744]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211.167.103.172 user=root
Feb 3 08:35:29 j4-be02 sshd[32744]: Failed password for root from 211.167.103.172 port 36610 ssh2