Hi
I did this script, executed every nights on crontab:
spam_ip.sh /var/log/maillog
#!/bin/bash
cat $1 | grep "Junk" | cut -d ">" -f1 | cut -d "<" -f2 | while read
rubbish ; do grep $rubbish $1 ; done | grep postfix | cut -d ":" -f4 |
while read messageid ; do grep $messageid $1 ; done | grep smtpd |sort
|uniq -u >> /var/log/spam-mail-ip.log
On fail2ban, I just have created the following jail on jail.local:
[spam]
port = smtp,465,submission
logpath = /var/log/spam-mail-ip.log
maxretry = 0
bantime = 1209600
findtime = 604800
enabled = true
with filter:
[Definition]
failregex = .*? client*.*\[<HOST>\]
ignoreregex =
And voilà ! Every nights when the script is launched, it add on the
/var/log/spam-mail-ip.log some entries like:
Oct 19 16:43:23 myserver postfix/smtpd[14123]: 9026A60C80:
client=93.127.151.118.st.dtn.ne.jp[118.151.127.93]
Oct 19 17:41:16 myserver postfix/smtpd[15526]: DF2B26030D:
client=catv-86-101-19-90.catv.broadband.hu[86.101.19.90]
Oct 19 17:48:03 myserver postfix/smtpd[15673]: 70F616030D:
client=unknown[188.27.236.244]
Oct 19 18:04:51 myserver postfix/smtpd[16117]: 743CF63371:
client=unknown[78.189.33.45]
Oct 19 18:11:18 myserver postfix/smtpd[16286]: AE25063371:
client=unknown[41.207.192.91]
Oct 19 20:02:16 myserver postfix/smtpd[18917]: 76A8963372:
client=unknown[187.188.76.58]
And fail2ban banned them for 2 weeks :)
Thanks for your help it was perfect;)
Le sam. 17 oct. 2015 à 21:52, Nick Howitt <[email protected]> a
écrit :
See in-line, but I'd need to check how to get awk to output to a
file. I think you need to define an out_file in the awk script or
redirect the output with a "> some.file" which f2b can then parse.
On 17/10/2015 20:42, Nicolas Repentin wrote:
Le 15/10/2015 10:17, Richard Mealing a écrit :
cat /var/log/maillog | grep "Junk" | cut -d ">" -f1 | cut -d "<"
-f2 | while read rubbish ; do grep $rubbish /var/log/maillog ; done
| grep postfix | cut -d ":" -f4 | while read messageid ; do grep
$messageid /var/log/maillog ; done | grep smtpd
Hello
I got a good result with:
while true; do
cat /var/log/maillog | grep "Junk" | cut -d ">" -f1 | cut -d "<" -f2
| while read rubbish ; do grep $rubbish /var/log/maillog ; done |
grep postfix | cut -d ":" -f4 | while read messageid ; do grep
$messageid /var/log/maillog ; done | grep smtpd | awk '{print $NF}'
|cut -d "[" -f2 |sed 's/\]//g'
sleep 60 # 60s or whatever
done
It give me the IP addresses :)
I now search how I can this loop in live all the time, to make
fail2ban check the result log file, or maybe i will ask logrotate to
generate the log when rotating.
Thanks :)
--
Nicolas Repentin
<[email protected]>
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
