用Shell腳本動態分析maillog日誌,把惡意IP用防火墻禁止
用Shell腳本動態分析maillog日誌,把惡意IP用防火墻禁止
系統環境:Centos 6.5 x64
Postfix郵件系統裝好後,發現maillog中太多“SASL LOGIN authentication failed”垃圾IP地址。此腳本用於定期自動的將垃圾IP加入到防火墻中,直接拒絕掉。maillog部分信息如下
用戶可以根據自己日誌文件中的關鍵字,靈活的來調整要加入到防火墻當中的IP地址。
Jun 11 03:58:36 host postfix/smtpd[11783]: warning: static-200-105-200-14.acelerate.net[200.105.200.14]: SASL LOGIN authentication failed
Jun 11 03:58:36 host postfix/smtpd[11783]: disconnect from static-200-105-200-14.acelerate.net[200.105.200.14]
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection rate 1/60s for (smtp:200.105.200.14) at Jun 11 03:58:33
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection count 1 for (smtp:200.105.200.14) at Jun 11 03:58:33
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max cache size 1 at Jun 11 03:58:33
Jun 11 04:07:13 host postfix/smtpd[11811]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known
Jun 11 04:07:13 host postfix/smtpd[11811]: connect from unknown[191.8.183.187]
Jun 11 04:07:15 host postfix/smtpd[11811]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:07:16 host postfix/smtpd[11811]: disconnect from unknown[191.8.183.187]
Jun 11 04:10:00 host postfix/smtpd[11817]: connect from unknown[186.179.219.145]
Jun 11 04:10:01 host postfix/smtpd[11817]: warning: unknown[186.179.219.145]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:10:02 host postfix/smtpd[11817]: disconnect from unknown[186.179.219.145]
Jun 11 04:12:53 host postfix/smtpd[11822]: connect from 187-162-93-226.static.axtel.net[187.162.93.226]
Jun 11 04:12:54 host postfix/smtpd[11822]: warning: 187-162-93-226.static.axtel.net[187.162.93.226]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:12:54 host postfix/smtpd[11822]: disconnect from 187-162-93-226.static.axtel.net[187.162.93.226]
Jun 11 04:15:42 host postfix/smtpd[11827]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known
Jun 11 04:15:42 host postfix/smtpd[11827]: connect from unknown[191.8.183.187]
Jun 11 04:15:44 host postfix/smtpd[11827]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:15:45 host postfix/smtpd[11827]: disconnect from unknown[191.8.183.187]
Jun 11 04:17:13 host postfix/anvil[11813]: statistics: max cache size 1 at Jun 11 04:07:13
Jun 11 04:21:27 host postfix/smtpd[11842]: warning: 201.20.89.190: hostname 201-20-89-190.baydenet.com.br verification failed: Name or service not known
Jun 11 04:21:27 host postfix/smtpd[11842]: connect from unknown[201.20.89.190]
Jun 11 04:21:29 host postfix/smtpd[11842]: warning: unknown[201.20.89.190]: SASL LOGIN authentication failed: authentication failure
[[email protected] ] cd /etc/postfix/
[[email protected] postfix]# vi ipadd
#!/bin/bash
# Block maillog SASL LOGIN authentication failed IP address and add to iptables
# written by evan.li 2017.06.13
IPTABLES=/sbin/iptables
EGREP=/bin/egrep
COUNTRY="cn"
iptables -F
iptables -X
ip_regex="[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}"
grep -r "SASL LOGIN authentication failed" /var/log/maillog > /var/log/sasl-failed.txt
find /var/log/ -name "sasl-failed.txt" -type f -print | xargs cat | egrep -o $ip_regex | sort | uniq > /var/log/ipfailed.txt
for c in $COUNTRY
do
country_file=/var/log/ipfailed.txt
IPS=$($EGREP -v "^#|^$" $country_file)
for ip in $IPS
do
echo "blocking $ip"
$IPTABLES -A INPUT -s $ip -j DROP
done
done
/etc/sysconfig/customrules
/etc/rc.d/init.d/iptables save
service iptables restart
exit 0
shell腳本說明
一、先生成帶用“SASL LOGIN authentication failed”關鍵字的文件/var/log/sasl-failed.txt
二、根據sasl-failed.txt,從中提取出垃圾IP,生成純IP文件/var/log/ipfailed.txt
三、用腳本將純IP文件導入進防火墻中,重起服務生效。
customrules文件為防火墻自定義規則,需事先按照你原有防火墻規則,手動編寫好。
此腳本執行後,會清除原有iptables規則內容,所以事先一定要備份iptabels文件,以防萬一。
以下,為我公司原有防火墻規則文件。
[[email protected] postfix]# vi /etc/sysconfig/customrules
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 25,47,80,82,110,143,443,1723,1935 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 3306,8081,8181,22110,13128,13389 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 23300:23308 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
添加可執行權限
[[email protected] postfix]# chmod +x /etc/sysconfig/customrules
[[email protected] postfix]# chmod +x /etc/postfix/ipadd
添加到排程任務,每1小時執行一次
[[email protected] postfix]# vi /etc/crontab
0 */1 * * * root /etc/postfix/ipadd
http://down.51cto.com/data/2316790
ipadd腳本下載地址
以上Shell腳本,測試成功於2017.6.13日
本文出自 “虛擬化應用” 博客,請務必保留此出處http://liwenhn.blog.51cto.com/854522/1935009
用Shell腳本動態分析maillog日誌,把惡意IP用防火墻禁止