1

I have a file called SSH which contains two lines of information. It looks like this:

src=192.168.60.111 ttl: 64 last_seen: 4295187854 oldest_pkt: 16 4295157111, 4295168442, 4295172078, 4295172078, 4295172328, 4295172328, 4295172829, 4295172829, 4295173830, 4295173830, 4295175834, 4295175834, 4295179838, 4295179838, 4295187854, 4295187854
src=10.0.98.2 ttl: 64 last_seen: 4295868429 oldest_pkt: 16 4295845135, 4295848540, 4295851694, 4295851694, 4295853197, 4295853197, 4295856201, 4295856201, 4295859226, 4295859226, 4295862420, 4295862420, 4295865425, 4295865425, 4295868429, 4295868429

I want to make a script which controlls weather the last_seen number + number of packets sent * 10 is smaller than current time.
for example: if($currenttime >= 4295187854+16*10) for the first line.
IF current time is bigger, the line should be removed. It is a try to make a delay on the login via SSH and the SSH-file notes every IP that has written wrong password more than 3 times.

I am very new to scripting and tried solve this with awk but did not make any progress. Do you guys have any idea of how I can scan the file line by line, analyze the different fields and depending on answer from the if-statement remove it?

EDIT This is what i produced, this probably doesn't make any sense since i can't understand what's actually going on with awk.

#!/bin/sh
currenttime=$(date +%s)
awk  '{if ($currenttime >= $5+10*$7) print $0 > "temp.txt";}' SSH
cp -f temp.txt SSH
rm temp.txt
Louise
  • 63
  • 2
  • 9
  • But what is the `10` factor that you are multiplying with `16`? – Inian Jan 20 '17 at 10:43
  • I have edited the question with my "script". the 10 is just hardcoded, i figured 10 seconds is enough! @Inian – Louise Jan 20 '17 at 10:45
  • Is that 16 from `$7`? – James Brown Jan 20 '17 at 10:46
  • exactly, i assume " " is the delimiter by default. @JamesBrown – Louise Jan 20 '17 at 10:47
  • $5+10*$7 where $5 = 4295187854 and $7 = 16, which means 4295187854 + 160, that is not 687338948640. Multiplication is always before addition ^^ @Inian – Louise Jan 20 '17 at 10:57
  • @Louise: Even then the date says `Wed, 17 Feb 2106 16:49:49 GMT` a 90-year difference? Are you sure your conditions are right? If you have `EPOCH` less than this, all your lines for next 90 years will match, – Inian Jan 20 '17 at 11:01
  • I have not connected my system to an NTP-server, this is just a test case, nothing going in production.. @Inian – Louise Jan 20 '17 at 11:15

1 Answers1

2

Something like this?:

$ awk 'strftime("%s")<=$5+$7*10' SSH

strftime("%s") returns The time as a decimal timestamp in seconds since the epoch which is compared against the $5+$7*10. If the comparison is true record is printed.

Edit: Thank you @EdMorton for pointing out that the %s specifier is not supported by all systems (see Gnu awk documentation on the issue) and on those unsupported systems systime() should be used instead (it's shorter so just use it on all systems anyway!):

awk 'systime()<=$5+$7*10' SSH
James Brown
  • 36,089
  • 7
  • 43
  • 59
  • Current time works fine, but i dont know if awk scans only the first line or "loops" through all lines. – Louise Jan 20 '17 at 10:49
  • It processes every line (well, every _record_ which by default is a line) in the file. – James Brown Jan 20 '17 at 10:49
  • Then i guess the only problem is that $0 takes the whole file and not the current line, do you know how to access the current line? – Louise Jan 20 '17 at 10:54
  • @Louise Sorry, I didn't understand. Awk processes every line (or record) in the file and `$0` is the current record awk is processing. – James Brown Jan 20 '17 at 10:58
  • Thank you for your information and help. I was just confused over awk. I just had to add a "touch temp.txt" in the beginning, because if all if-statements are false, there are no temp.txt to work with. @JamesBrown – Louise Jan 20 '17 at 11:08
  • 1
    Remark for extra use: if file was huge (not the case with this 2 line like OP specify), use maybe a variable fixing the time at start, especially if file is feed very quickly like often with huge file. Once more, quick and good script – NeronLeVelu Jan 20 '17 at 11:42
  • 1
    Huh? `strftime()` formats a timestamp but `%s` isn't a time format so it would return a null string. You mean `systime()` and you'd use it as `awk 'BEGIN{now=systime()} now<=$5+$7*10' SSH`. And yet it's the accepted answer - baffling... – Ed Morton Jan 21 '17 at 01:33