Hi David,
The ip you are having issues with returns (NXDOMAIN) so try
using this or a variant on the search string to find what
you are looking for.

-- snip --
#!/bin/bash
mdate=`date +%c`
mip=$1
### must be root ###
if [ `whoami` != "root" ]; then
        echo ""
        echo "$0 must be run as root"
        echo ""
        exit 1
fi;

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
is_ip="grep -Ec 
'^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"

 is_v=`grep $1 /var/log/qmail/smtp/current | wc -l`
 echo "Counted : $is_v entries"

if [ "$is_v" != "" ]; then
   is_host=`host $1`
   echo "Host RDNS = $is_host"
   if echo "$is_host" | grep -q "(NXDOMAIN)"; then
   #  echo "(NX Domain) found, block IP automatically..."
   # /lscripts/blockip $mip
    read -p "(NX Domain) found, block IP automatically Y/N : " yn
    case $yn in
      [Yy]* ) `/lscripts/blockip $mip`;;
      [Nn]* ) exit;;
    esac
   fi;
fi;

-- snip --

Try this to count the number of times an ip connects..

--snip --
#!/bin/bash
PATTERN="DENIED"
FILE="/var/log/qmail/smtp/current"
f1="/tmp/ips.txt"
f2="/tmp/current.txt"
f3="/tmp/ipn.txt"

if [ -n "$1" ] ;
then
  cd /var/log/qmail/smtp
  newfile=`lshead -t @* | head -n1`
  echo "Scanning : "$newfile
  FILE="/var/log/qmail/smtp/$newfile"
fi

echo $FILE

[[ -f "$f1" ]] && rm -f "$f1"
[[ -f "$f2" ]] && rm -f "$f2"
# was -q between grep ans $PATTERN
if grep -q $PATTERN $FILE;
 then
     #echo "Here are the Strings with the Pattern '$PATTERN':"
     echo -e "$(grep $PATTERN $FILE > $f2)\n"
     #echo -e "$(wc -l $f2)\n"
     while read line
     do
      ar=($line)
      #echo -e "${ar[8]}\n"
      echo -e ${ar[8]}>> "$f1"
    done < "$f2"
    echo -e "$(sort -n $f1 > $f3)"
    echo -e "$(uniq -dc $f3)"
  else
     echo "Error: The Pattern '$PATTERN' was NOT Found in '$FILE'"
     echo "Exiting..."
     exit 0
fi

-- snip --

best wishes
  Tony White

On 18/4/20 8:33 pm, David Bray wrote:

Hi Tony, thanks
But not so much looking for a solution to block ips.

I’m needing to identify which ips to block

On Sat, 18 Apr 2020 at 8:19 pm, Tony White <t...@ycs.com.au 
<mailto:t...@ycs.com.au>> wrote:

    Or this...

    -- snip --
    #!/bin/bash
    logf="/var/log/blockip.log"
    mdate=`date +%c`
    mip=$1
    ### must be root ###
    if [ `whoami` != "root" ]; then
             echo ""
             echo "$0 must be run as root"
             echo ""
             exit 1
    fi;

    if [ $mip == "--help" ]; then
       echo "========================================"
       echo "Help: Block single and subnet IP's"
       echo "========================================"
       echo "blockip 130.2.1.1"
       echo "blockip 130.2.1.0/24 <http://130.2.1.0/24>"
       echo "----------------------------------------"
       exit 1
    fi;

    mip1=${mip:0:6};
    # your lan range if needed or comment out
    if [ $mip1 == "192.168.1." ]; then  # change ip to suit
       echo "$mdate Discarding LAN drop request for $mip1" >> $logf
       exit 1
    fi;


    # whitelist special clients...
    # change the IP.ADDR.ESS to suit.
    # comment out to remove
    if [ $mip == "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS" 
] || [ $mip == "IP.ADDR.ESS" ] || [
    $mip == "IP.ADDR.ESS" ] ; then
       echo "$mdate Discarding WAN drop request for $mip" >> $logf
       echo "$mdate Discarding WAN drop request for $mip"
       exit 1
    fi;

    export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    is_ip="grep -Ec 
'^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"

    if [ `echo $mip |eval $is_ip` != "1" ]; then
       echo "$mdate Error in IP address $mip" >> $logf
       echo "$mdate Error in IP address $mip"
    else
       iptables -I INPUT -s $mip -j DROP
       echo "iptables -I INPUT -s $mip -j DROP"
       echo "iptables -I INPUT -s $mip -j DROP" >> /etc/rc.d/rc.blockedips
       echo "$mdate now dropping all packets from $mip" >> $logf
    fi;
    -- snip --

    best wishes
       Tony White

    On 18/4/20 8:09 pm, Tony White wrote:

    > Hi David,
    >   Sorry try this instead...
    >
    > -- snip --
    > #!/bin/sh
    > logf="/var/log/blacklist_ip.log"
    > mdate=`date +%c`
    > ### must be root ###
    > if [ `whoami` != "root" ]; then
    >         echo ""
    >         echo "$0 must be ran as root"
    >         echo ""
    >         exit 1
    > fi
    > export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    > is_ip="grep -Ec 
'^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"
    >
    > if [ `echo $1 |eval $is_ip` != "1" ]; then
    > echo "$mdate Error in IP address $1" >> $logf
    > else
    > echo "$1" >> /opt/spamdyke/etc/blacklist_ip
    > echo "$mdate now dropping all packets from $1" >> $logf
    > fi
    > --snip --
    >
    > best wishes
    >   Tony White
    > On 18/4/20 8:04 pm, Tony White wrote:
    >
    >> Hi David,
    >>   Try using this little script...
    >>
    >> -- snip --
    >> #!/bin/bash
    >> logf="/var/log/blockip.log"
    >> mdate=`date +%c`
    >> mip=$1
    >> ### must be root ###
    >> if [ `whoami` != "root" ]; then
    >>         echo ""
    >>         echo "$0 must be run as root"
    >>         echo ""
    >>         exit 1
    >> fi;
    >>
    >> if [ $mip == "--help" ]; then
    >>   echo "========================================"
    >>   echo "Help: Block single and subnet IP's"
    >>   echo "========================================"
    >>   echo "blockip 132.2.1.1"
    >>   echo "blockip 132.1.0/24"
    >>   echo "----------------------------------------"
    >>   exit 1
    >> fi;
    >>
    >> -- snip --
    >>
    >> worked for me forever...
    >> Use qtp watchall to monitor the logs and use th output to manually block 
ips or subnets
    >>
    >> If you need more hit me off list.
    >>
    >> best wishes
    >>   Tony White
    >> On 18/4/20 2:59 pm, David Bray wrote:
    >>
    >>> I can see I'm getting hammered on my smtps port
    >>>
    >>> How can I mitigate this?
    >>>
    >>> I can see the IP's in /var/log/qmail/smtps/current
    >>>
    >>> *but where do I actually see that the smtp auth actually fails ?*
    >>>
    >>> or do I need to increase the logging somewhere ?
    >>>
    >>> if I tail -f /var/log/dovecot.log
    >>>
    >>> I can see the imap and pop failures
    >>>
    >>> thanks in advance
    >>>
    >>> David Bray
    >>> 0418 745334
    >>> 2 ∞ & <
    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
    <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>
    >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
    <mailto:qmailtoaster-list-h...@qmailtoaster.com>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
    <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>
    > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
    <mailto:qmailtoaster-list-h...@qmailtoaster.com>
    >


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
    <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>
    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
<mailto:qmailtoaster-list-h...@qmailtoaster.com>

--
# David


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to