#!/usr/bin/env python3

import sys


def main():
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <input_file>")
        sys.exit(1)

    input_file = sys.argv[1]

    # keep track of both the total number of authentication failures and the number of failures from each IP address
    auth_failures = {}
    total = 0

    with open(input_file, "r") as f:
        # Read log file
        for line in f:
            # check for auth failure in line
            # NOTE: This is a rudimentary check, and will not work for all log formats. This was chosen for the log file provided.
            # as an example, it will not work when the system uses SSH's built-in password authentication, as those logs are formatted differently.
            # It will also not work if the authentication failure is logged in a different PAM module, or if authentication is successful but the PAM
            # account stack (user authorization) fails.
            if "authentication failure" in line:
                # add failure
                total += 1
                # Extract the remote host. This could be either a hostname or an IP address, depending if the host has a PTR record
                rhost = line.split("rhost=")[1].split(" ")[0]
                if rhost not in auth_failures:
                    # initialize the count
                    auth_failures[rhost] = 1
                else:
                    # add failure
                    auth_failures[rhost] += 1

    # Print the results
    for rhost in auth_failures:
        print(f"From {rhost}: {auth_failures[rhost]} failures")

    print(f"\nTotal failures: {total}")


if __name__ == "__main__":
    main()