adiberr/parse-ufw.md

Last active March 31, 2024 23:03

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/adiberr/2ee1a8d6518625b348ddb1ba9bea6671.js"></script>
Save adiberr/2ee1a8d6518625b348ddb1ba9bea6671 to your computer and use it in GitHub Desktop.

Download ZIP

Oneliner command to parse UFW logs, useful for abuse blocking and reporting

Raw

parse-ufw.md

Extract the source ip address and destination port :

sed -n 's/^.*SRC=\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*DPT=\([0-9]\+\).*$/\1 \2/p' <<< $(sudo cat /var/log/ufw.log) \
| uniq -c \
| sort \
| column -t

Example (details omitted for simplicity):

...
[..] SRC=192.168.100.119 DST=192.168.100.1 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=1 PROTO=TCP SPT=23 [..]
...
[..] SRC=192.168.100.120 DST=192.168.100.1 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=2 PROTO=TCP SPT=23 [..]

Result :

7   192.168.100.119   23
10  192.168.100.120   23

adiberr/parse-ufw.md

Select an option

No results found

Select an option

No results found