Hi David,
The ip you are having issues with returns (NXDOMAIN) so try
using this or a variant on the search string to find what
you are looking for.
-- snip --
#!/bin/bash
mdate=`date +%c`
mip=$1
### must be root ###
if [ `whoami` != "root" ]; then
echo ""
echo "$0 must be run as root"
echo ""
exit 1
fi;
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
is_ip="grep -Ec
'^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"
is_v=`grep $1 /var/log/qmail/smtp/current | wc -l`
echo "Counted : $is_v entries"
if [ "$is_v" != "" ]; then
is_host=`host $1`
echo "Host RDNS = $is_host"
if echo "$is_host" | grep -q "(NXDOMAIN)"; then
# echo "(NX Domain) found, block IP automatically..."
# /lscripts/blockip $mip
read -p "(NX Domain) found, block IP automatically Y/N : " yn
case $yn in
[Yy]* ) `/lscripts/blockip $mip`;;
[Nn]* ) exit;;
esac
fi;
fi;
-- snip --
Try this to count the number of times an ip connects..
--snip --
#!/bin/bash
PATTERN="DENIED"
FILE="/var/log/qmail/smtp/current"
f1="/tmp/ips.txt"
f2="/tmp/current.txt"
f3="/tmp/ipn.txt"
if [ -n "$1" ] ;
then
cd /var/log/qmail/smtp
newfile=`lshead -t @* | head -n1`
echo "Scanning : "$newfile
FILE="/var/log/qmail/smtp/$newfile"
fi
echo $FILE
[[ -f "$f1" ]] && rm -f "$f1"
[[ -f "$f2" ]] && rm -f "$f2"
# was -q between grep ans $PATTERN
if grep -q $PATTERN $FILE;
then
#echo "Here are the Strings with the Pattern '$PATTERN':"
echo -e "$(grep $PATTERN $FILE > $f2)\n"
#echo -e "$(wc -l $f2)\n"
while read line
do
ar=($line)
#echo -e "${ar[8]}\n"
echo -e ${ar[8]}>> "$f1"
done < "$f2"
echo -e "$(sort -n $f1 > $f3)"
echo -e "$(uniq -dc $f3)"
else
echo "Error: The Pattern '$PATTERN' was NOT Found in '$FILE'"
echo "Exiting..."
exit 0
fi
-- snip --
best wishes
Tony White
On 18/4/20 8:33 pm, David Bray wrote:
Hi Tony, thanks
But not so much looking for a solution to block ips.
I’m needing to identify which ips to block
On Sat, 18 Apr 2020 at 8:19 pm, Tony White <[email protected]
<mailto:[email protected]>> wrote:
Or this...
-- snip --
#!/bin/bash
logf="/var/log/blockip.log"
mdate=`date +%c`
mip=$1
### must be root ###
if [ `whoami` != "root" ]; then
echo ""
echo "$0 must be run as root"
echo ""
exit 1
fi;
if [ $mip == "--help" ]; then
echo "========================================"
echo "Help: Block single and subnet IP's"
echo "========================================"
echo "blockip 130.2.1.1"
echo "blockip 130.2.1.0/24 <http://130.2.1.0/24>"
echo "----------------------------------------"
exit 1
fi;
mip1=${mip:0:6};
# your lan range if needed or comment out
if [ $mip1 == "192.168.1." ]; then # change ip to suit
echo "$mdate Discarding LAN drop request for $mip1" >> $logf
exit 1
fi;
# whitelist special clients...
# change the IP.ADDR.ESS to suit.
# comment out to remove
if [ $mip == "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS"
] || [ $mip == "IP.ADDR.ESS" ] || [
$mip == "IP.ADDR.ESS" ] ; then
echo "$mdate Discarding WAN drop request for $mip" >> $logf
echo "$mdate Discarding WAN drop request for $mip"
exit 1
fi;
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
is_ip="grep -Ec
'^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"
if [ `echo $mip |eval $is_ip` != "1" ]; then
echo "$mdate Error in IP address $mip" >> $logf
echo "$mdate Error in IP address $mip"
else
iptables -I INPUT -s $mip -j DROP
echo "iptables -I INPUT -s $mip -j DROP"
echo "iptables -I INPUT -s $mip -j DROP" >> /etc/rc.d/rc.blockedips
echo "$mdate now dropping all packets from $mip" >> $logf
fi;
-- snip --
best wishes
Tony White
On 18/4/20 8:09 pm, Tony White wrote:
> Hi David,
> Sorry try this instead...
>
> -- snip --
> #!/bin/sh
> logf="/var/log/blacklist_ip.log"
> mdate=`date +%c`
> ### must be root ###
> if [ `whoami` != "root" ]; then
> echo ""
> echo "$0 must be ran as root"
> echo ""
> exit 1
> fi
> export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
> is_ip="grep -Ec
'^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"
>
> if [ `echo $1 |eval $is_ip` != "1" ]; then
> echo "$mdate Error in IP address $1" >> $logf
> else
> echo "$1" >> /opt/spamdyke/etc/blacklist_ip
> echo "$mdate now dropping all packets from $1" >> $logf
> fi
> --snip --
>
> best wishes
> Tony White
> On 18/4/20 8:04 pm, Tony White wrote:
>
>> Hi David,
>> Try using this little script...
>>
>> -- snip --
>> #!/bin/bash
>> logf="/var/log/blockip.log"
>> mdate=`date +%c`
>> mip=$1
>> ### must be root ###
>> if [ `whoami` != "root" ]; then
>> echo ""
>> echo "$0 must be run as root"
>> echo ""
>> exit 1
>> fi;
>>
>> if [ $mip == "--help" ]; then
>> echo "========================================"
>> echo "Help: Block single and subnet IP's"
>> echo "========================================"
>> echo "blockip 132.2.1.1"
>> echo "blockip 132.1.0/24"
>> echo "----------------------------------------"
>> exit 1
>> fi;
>>
>> -- snip --
>>
>> worked for me forever...
>> Use qtp watchall to monitor the logs and use th output to manually block
ips or subnets
>>
>> If you need more hit me off list.
>>
>> best wishes
>> Tony White
>> On 18/4/20 2:59 pm, David Bray wrote:
>>
>>> I can see I'm getting hammered on my smtps port
>>>
>>> How can I mitigate this?
>>>
>>> I can see the IP's in /var/log/qmail/smtps/current
>>>
>>> *but where do I actually see that the smtp auth actually fails ?*
>>>
>>> or do I need to increase the logging somewhere ?
>>>
>>> if I tail -f /var/log/dovecot.log
>>>
>>> I can see the imap and pop failures
>>>
>>> thanks in advance
>>>
>>> David Bray
>>> 0418 745334
>>> 2 ∞ & <
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
<mailto:[email protected]>
>> For additional commands, e-mail: [email protected]
<mailto:[email protected]>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
<mailto:[email protected]>
> For additional commands, e-mail: [email protected]
<mailto:[email protected]>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
<mailto:[email protected]>
For additional commands, e-mail: [email protected]
<mailto:[email protected]>
--
# David
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
