Python - create blacklist file of IP addresses that have more than 5 failed login attempts in the authlog

Question

Basically I have an authlog/syslog file with a list of log in attempts and IP addresses - I need to make a Python program that will create a txt file with all the IP addresses that have more than 5 failed login attempts - a sort of "blacklist".

So basically something like:

if "uniqueipaddress" and "authentication failure" appear more than 5 times, add uniqueipaddress to txt file.

Any help would be greatly appreciated - please try and make it simple as I am very, very inexperienced in programming in Python! Thanks.

Answer 1

For each line:

• read the IP and attempt status
• keep a dictionary by IP of amount of failed attempts

Then go over the dictionary:

• print to file all IPs with 5 or more attempts

---

Python hints:

• To read a file line by line: for line in open(filename)
• Parsing the log line depends entirely on its format. Some useful Python tools are the split method of a string, and regular expressions
• Keep a dictionary, i.e. ips[ip] is amount of attempts

Answer 2

The following code should do something similar to what you're looking for. It's not perfect, but it's a good jumping off point.

ips = {}
for line in open('your_log.txt'):
    parts = line.split(' ') #assuming this is a good place to split
    if parts[1] == "AuthenticationFailure":
        if parts[0] in ips:
            ips[parts[0]] += 1
        else:
            ips[parts[0]] = 0

for ip in [k for k,v in ips.iteritems() if v >= 5]:
    #WRITE TO FILE HERE

This assumes that your log file is structured something like so:

1.1.1.1 LoginSuccess
2.2.2.2 LoginSuccess
3.3.3.3 AuthenticationFailure