Hi,
One of our FTP servers is constantly under attack. I'm putting the output from the servers log file into a database. What I'm doing now is querying for anything hitting the server on port 21 in the last minute. Any single IP that has too high of a count within that minute is blocked. What I'd like to do is... In addition to gathered IP addresses hitting on port 21. Make sure that there are no hits from those IP addreses to the passive ports on our server. This would help eliminate false positives as much as I can.
The question is can I do this in a single statement?
The current statement is this:
"SELECT log_src_ip FROM traffic_log WHERE \
(log_dst_ip = 'our.ftp.server.address' AND \
log_dst_pt='21' AND \
log_time > DATE_SUB(NOW(),INTERVAL $block_time second) \
ORDER BY log_time ASC;"
Thanks,
MPH