I am building a cPanel plugin that allow a customer define from which country a user can enter to the following services:
- cPanel / Webmail
- SFTP, SSH
I built a daemon that monitor the logs in real time to find the first successful access from X IP, check the country and deny or allow the access to the service.
I finished the plugin and it work fine but I have a problem checking the first successful access from X IP to cPanel / Webmail.
With FTP and SSH is really simple, using "grep" with the log and I can locate the first access, for example for ssh:
And I obtain:
tail -F /var/log/secure | grep "Accepted"
But this is difficult with cPanel / Webmail access, I can not filter the first successful access after login. I want to minimize the number of checkings for reduce the resource usage of this daemon.
May 21 09:11:04 server sshd: Accepted password for USER from IP port 4970 ssh2
I am using:
I think I cover all possible attempts to access, but I have too many duplicate records for the same IP.
tail -F /usr/local/cpanel/logs/access_log
| egrep --line-buffered "HTTP\/1.(1|0)\" 200 0"
| egrep -v --line-buffered "127.0.0.1|root"
| egrep --line-buffered -v ".jpg|.gif|.css|.js|.png|.ico"
I want to avoid making further checks if the user already agreed and passed the first check. But without relying on a database or similar, I'd do the same as for other services, filtering logs.
Any ideas to reduce the number of records to verify?
P.S: I hope I explained well, sorry for my bad English