slightly upgraded the script to monitor multiple logs and automatically remove the ban by the time, sends mail and logging all ban incidents: 
#!/usr/bin/perl -w

use strict;
use warnings;
use Sys::Syslog qw(:DEFAULT setlogsock);
use POSIX qw(strftime);

my $pattern = "\"GET \/ HTTP\/"; # request index page pattern
my @httpd_log = </var/log/httpd/domains/*.log>;
my $ok = "1000"; # allowed connections per ip for $check_period
my $check_period = 1; # check period in hours

my $date = strftime("%d/%b/%Y:%H",localtime(time-$check_period*3600));
my (%ips, $ip, $start);
my (%ips_ban, $ip_ban, $time);

my $end_time = strftime("%H", localtime(time+$check_period*3600));
my $start_time;

setlogsock('unix');
openlog("http_block", 'ndelay', 'LOG_SECURITY');
syslog("info","http_block started using ipfw \n");
system("/sbin/ipfw table 2 flush");

open my $pipe, "-|", "/usr/bin/tail", "-f", @httpd_log
    or die "could not start tail on file.log: $!";

while (<$pipe>) {
  $date = strftime("%d/%b/%Y:%H",localtime(time-$check_period*3600)); 
    next unless m/$date/ || $start; # skipping old records
    $start=1;
    if (/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*$pattern/go) {
            $ips{$1}++;
    }

 foreach $ip (keys %ips) {
  if ($ips{$ip} >= $ok) {
    if (exists $ips_ban{$ip}) {
 syslog("info", "BLOCKING $ip with $ips{$ip} conn not working!!!\n");
        }
        if (not exists $ips_ban{$ip}) {
            #system("/sbin/pfctl -t bots -T add $ip");  
            #system("/sbin/iptables -A INPUT -s $ip -j REJECT"); 
        system("/sbin/ipfw table 2 add $ip");
        syslog("info", "BLOCKING $ip with $ips{$ip} conn \n");
                system("echo 'BLOCKING $ip with $ips{$ip} conn by http
+_block '|mail -s 'BLOCKING $ip by http_block' root");
        }
        $ips_ban{$ip} = strftime("%H", localtime(time));
        delete $ips{$ip};
        next;
        }
    }

    $start_time = strftime("%H", localtime(time));
    if ($end_time <= $start_time) {
    foreach $ip (keys %ips_ban) {
        if ($ips_ban{$ip}+1 <= $start_time) {
        system("/sbin/ipfw table 2 delete $ip");
        syslog("info", "UNBLOCKED $ip \n");
        system("echo 'UNBLOCKED $ip by http_block'|mail -s 'UNBLOCKED 
+$ip by http_block' root");
        delete $ips_ban{$ip};
        }
    }
    $end_time = strftime("%H", localtime(time+$check_period*3600));
    }
};

closelog;

[download]

In reply to Re: Getting bots ips from apache logs. by oev
in thread Getting bots ips from apache logs. by idle

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.