You can use something like this whith few modification's to read correctly
your mail.log and also you can change the sorting criteria
With respect
K
#!/bin/bash
# count the attempted SMTP connections from every IP
# add netfilter drop rules for those IPs that exceed a threshold
DROP_THRESHOLD=30
MAILLOG=/var/log/maillog
LOG=/tmp/auto-block.log
# back-up maillog so a new one is created (avoids duplicating iptables rules
for the same IP)
mv $MAILLOG /tmp/maillog
# create the log time-stamp
TIMESTAMP=`date | awk '{ print $2, $3, $4; }'`
echo "$TIMESTAMP auto-block STARTED" > $LOG
# scan maillog, extract connecting IPs, sort, uniq count, sort on connection
count
cat /tmp/maillog | egrep '(CONNECT|RCPT TO)' | awk '{print $5}' \
| egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \
| sort | uniq -c | sort | awk "{if(\$1 >=$DROP_THRESHOLD) print \$2}" \
> /tmp/smtp-connection-count.log
# get the current IPs blocked by iptables rules, to avoid duplication
iptables -nL INPUT | grep 'DROP' | sort | uniq -c | awk '{print $5}' \
> /tmp/smtp-iptables-drop.log
# add firewall block for each of the offending IPs
for IP in $(cat /tmp/smtp-connection-count.log) ; do
echo -n "Checking $IP..." >> $LOG
if [ "x`grep \'$IP\' /tmp/smtp-iptables-drop.log`" == "x" ]; then
echo " blocking" >> $LOG
iptables -I INPUT -s $IP -j DROP
# additional options, not supported on FC5/Virtuozzo:
# -m comment --comment "> $DROP_THRESHOLD smtp connections per hour"
echo "$TIMESTAMP iptables: $IP DROP, exceeded $DROP_THRESHOLD connections
per hour" >> $LOG
else
echo " exists" >> $LOG
echo "$TIMESTAMP iptables: $IP exists in table already" >> $LOG
fi
done
# create the log time-stamp
TIMESTAMP=`date | awk '{ print $2, $3, $4; }'`
echo "$TIMESTAMP auto-block FINISHED" >> $LOG
cat /tmp/maillog >> /var/log/$MAILLOG.0
rm /tmp/maillog
____________________________________________________________________________
__________________________
____________________________________________________________________________
__________________________
#!/bin/bash
# remove all DROP target entries from the netfilters INPUT table
iptables -nL INPUT | grep 'DROP' | sort | uniq | awk '{print $4}' >
/tmp/smtp-iptables-drop.log
for IP in $(cat /tmp/smtp-iptables-drop.log); do
echo "-D INPUT -s $IP -j DROP"
iptables -D INPUT -s $IP -j DROP
done
iptables -nL INPUT | grep 'DROP' | sort | uniq -c
-----Original Message-----
From: [email protected] [mailto:[EMAIL PROTECTED] On
Behalf Of Fletch Hasues
Sent: Thursday, October 02, 2008 4:58 PM
To: [email protected]
Subject: [ossec-list] Re: OSSEC appears to have killed my server
I don't have any answers for you there. But I will make one
suggestion to you. You should make sure you have out of band access
to a server like this in a situation such as yours. Decent servers
have lights ouit, management, or system console cards with a network
stack on them. If you had this access, you could obtain console on
the host, or even physically reset the host. If your hosting provider
can not provide you with this type of access, then I would look around
for another provider.
Haz
On 9/30/08, Lawler, Thorne <[EMAIL PROTECTED]> wrote:
>
> Folks,
>
> I'm posting this in the awareness that there's probably nothing to be
> done about it at this stage, but some forensic advice might help:
>
> My Ubuntu Hardy (8.04) server is hosted by a crowd who cut costs by not
> providing remote console access or remote power control. It runs OSSEC
> 1.6 with the only major configuration tweak being an increase in the
> active response window: firewall lockouts last for 24 hours rather than
> five minutes because otherwise the barbarian hordes keep my load average
> permanently around 3 (on a single-CPU x86). Server has been up for a few
> weeks withou incident, no significant outages in >12 months.
>
> This morning I logged in to turn down the level of the Postfix 'multiple
> delivery attempts from a blacklisted IP' alert from 10 to 8. I made the
> change and restarted ossec.
>
> Almost immediately, the process table began to fill with 'iptables' and
> 'host-deny' processes, and load shot up over 100 within a few seconds.
>
> I am now completely locked out: ssh connections time out. I can ping the
> machine, but that's all.
>
> To my chagrin, I have used up my free support tickets for the month, so
> I will have to pay cash to have my server physically rebooted. I am
> hesitating only because I have no way of knowing if this will fix the
> problem.
>
> Can anyone suggest what may have just happened? I need to make sure this
> can't ever happen again, even if that involves removing ossec: Not even
> ossec can be allowed to thrash the machine so hard that ssh connectivity
> goes down.
>
> --
> Thorne Lawler
> Technical Consultant
> Managed Services | Infrastructure Services | Server Support Unix | KAZ
> Group Pty Ltd
> 360 Elizabeth Street | Melbourne Victoria 3000
> (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334
> [EMAIL PROTECTED] | www.kaz-group.com
> ------------------------------------------------------------------------
> --------
>
>
--
Sent from Gmail for mobile | mobile.google.com
