grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


If you would then like to only output the last ‘x’ number of lines, you can use tail…


grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20


grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20


You are then able to use this to block those IP addresses in your CSF…


for ip in $(grep TCP_IN /var/log/messages | awk -F"SRC=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20 | awk '{print $2}'); do csf -d $ip; done;


for ip in $(grep TCP_OUT /var/log/messages | awk -F"DST=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | tail -20 | awk '{print $2}'); do csf -d $ip; done;
Did this answer your question?