#!/bin/sh
# Script to look at http access logs for last ten days
# for drupal registration requests, locate netblocks
# that have too many repeat register-rs, and suggest
# .htaccess changes.
# Dan Kegel 2014
max_retries_for_one_ip=7
max_bad_days_for_network=3

mkdir tmp.$$
cd tmp.$$
for f in `ls -t ~/www_logs/www.*.gz | head -n 10`
do
    name=`basename $f .gz`
    zcat $f| grep register | awk '{print $1}' | sort | uniq -c | sort -n | awk '$1 > '$max_retries_for_one_ip' {print $2}' | sort > addr.$name.txt
done
cat addr.*.txt | sed 's/\.[0-9]*\.[0-9]*$//' | sort | uniq -c | sort -n | awk '$1 > '$max_bad_days_for_network' {print $2}' | sort > bad-networks
echo "Networks with multiple repeated registration requests for last ten days are"
cat bad-networks
echo "IPs from those networks are"
cat addr.*.txt | fgrep -f bad-networks | sort -u
echo "Visit e.g. http://www.iplocation.net and look up a few of those."
echo "If they are in regions you don't care about, add them to your .htaccess"
echo "e.g."

cat bad-networks | sort -u | awk '{print "deny from " $0}'