Reputation: 1194
Script function to check if there is strange IP (IP which is not in whitelisted) in Python
I have a log file which looks like this:
Aug 25 10:22:28 iZk1a211s8hkb4hkecu7w1Z sshd[17386]: Invalid user tmp from 10.148.0.13 port 33470
Aug 25 10:22:30 iZk1a211s8hkb4hkecu7w1Z sshd[17386]: Failed password for invalid user tmp from 10.148.0.13 port 33470 ssh2
Aug 25 10:23:33 iZk1a211s8hkb4hkecu7w1Z sshd[17481]: Invalid user ed from 10.148.0.13 port 33474
Aug 25 10:23:35 iZk1a211s8hkb4hkecu7w1Z sshd[17481]: Failed password for invalid user ed from 10.148.0.13 port 33474 ssh2
Aug 25 10:23:39 iZk1a211s8hkb4hkecu7w1Z sshd[17496]: Invalid user ssz from 10.148.0.13 port 33476
Aug 25 10:23:40 iZk1a211s8hkb4hkecu7w1Z sshd[17496]: Failed password for invalid user ssz from 10.148.0.13 port 33476 ssh2
Aug 25 10:23:43 iZk1a211s8hkb4hkecu7w1Z sshd[17502]: Invalid user ubuntu from 10.148.0.13 port 33478
Aug 25 10:23:45 iZk1a211s8hkb4hkecu7w1Z sshd[17506]: Failed password for root from 10.148.0.13 port 33480 ssh2
Aug 25 10:23:45 iZk1a211s8hkb4hkecu7w1Z sshd[17502]: Failed password for invalid user ubuntu from 10.148.0.13 port 33478 ssh2
How do you check if there is an outsider IP trying to access your server in Python? The output of the scripts may to extract the strange IP or raise some flags or etc
I only able to create this so far and it only raised true or false if you passed an IP that match with IP in .txt:
def check_ip(ip_address):
whitelist = open('untitled.txt')
for ip in whitelist.readlines():
if ip_address == ip:
return True
return False
If I try it to my logs:
file = open('auth_filter.log', 'r')
check_ip(file)
It will return False
Upvotes: 3
Views: 261
Answers (2)
Reputation: 8508
Based on the my understanding of the question, you have two inputs: a file that contains a list of whitelist IP addresses a file that contains the logs - 'auth_filter.log'
I am assuming that your while list file looks something like this
10.148.0.13
10.148.0.14
I modified your 'auth_filter.log' sample data to create a few IPs that are not part of the whitelist IPs.
My 'auth_filter.log' file looks as follows:
Aug 25 10:22:28 iZk1a211s8hkb4hkecu7w1Z sshd[17386]: Invalid user tmp from 10.148.0.13 port 33470
Aug 25 10:22:30 iZk1a211s8hkb4hkecu7w1Z sshd[17386]: Failed password for invalid user tmp from 10.148.0.13 port 33470 ssh2
Aug 25 10:23:33 iZk1a211s8hkb4hkecu7w1Z sshd[17481]: Invalid user ed from 10.148.0.13 port 33474
Aug 25 10:23:35 iZk1a211s8hkb4hkecu7w1Z sshd[17481]: Failed password for invalid user ed from 10.148.0.13 port 33474 ssh2
Aug 25 10:23:39 iZk1a211s8hkb4hkecu7w1Z sshd[17496]: Invalid user ssz from 10.148.0.16 port 33476
Aug 25 10:23:40 iZk1a211s8hkb4hkecu7w1Z sshd[17496]: Failed password for invalid user ssz from 10.148.0.16 port 33476 ssh2
Aug 25 10:23:43 iZk1a211s8hkb4hkecu7w1Z sshd[17502]: Invalid user ubuntu from 10.148.0.14 port 33478
Aug 25 10:23:45 iZk1a211s8hkb4hkecu7w1Z sshd[17506]: Failed password for root from 10.148.0.14 port 33480 ssh2
Aug 25 10:23:45 iZk1a211s8hkb4hkecu7w1Z sshd[17502]: Failed password for invalid user ubuntu from 10.148.0.15 port 33478 ssh2
Note here that I have 2 IPs that are not in the whitelist. They are 10.148.0.15 and 10.148.0.16
The code to extract all the IPs that are not in the whitelist is as follows:
whitelist = [] #list that will store the whitelist IPs from the whitelist file
blacklist = []
with open('whitelist.txt','r') as w, open('auth_filter.log','r') as f:
#first read the whitelist IPs and store them into a list : whitelist
for wlist in w:
whitelist.append(wlist.strip())
#now read each line in the log file
for line in f:
x = line.find(' from ') #Assumption: IP always follows ' from '
if x != -1:
y = line.find(' port') #Assumption: port always follows IP
if line[x+6:y] not in whitelist:
blacklist.append(line[x+6:y]) #extract IP and store in blacklist
blacklist = list(set(blacklist)) #remove duplicates by converting it to a set and back. set removes duplicates
print ('whitelist :', whitelist)
print ('blacklist :', blacklist)
Output:
whitelist : ['10.148.0.13', '10.148.0.14']
blacklist : ['10.148.0.16', '10.148.0.15']
Upvotes: 3
Reputation: 634
Assuming your log.txt and whitelist.txt is in the directory you're running the python code, regex would be your friend. In python you import it via import re.
Extract IPs from log file:
ips = []
with open('logname.log','r') as f:
for line in f.readlines():
match = re.search('(?<=from ).+(?= port)',line)
if match:
ips.append(match.group())
Extract whitelisted IPs from log file:
whitelist = []
with open('whitelist.txt') as f:
for line in f.readlines():
whitelist.append(line)
Check IPs against whitelist:
for ip in ips:
if ip not in whitelist:
print('ip {} not in whitelist'.format(ip))
#or whatever you want to do with non-whitelisted IP
Upvotes: 1
Related Questions
- Find if IP address is in range of addresses
- Finding a public facing IP address in Python?
- How can I check if an ip is in a network in Python?
- check if an IP is within a range of CIDR in Python
- Check if IP is in network on Python3
- Checking if IP address lies within a given range
- Check if user's IP address is in a range of IP's
- Python3 check if ip address is global
- How to determine if IP address in whitelist with IPy?
- Python IP Check