Dynamically analyze Maillog logs with shell scripts to disable malicious IP firewall

Dynamically analyze Maillog logs with shell scripts to disable malicious IP firewall

System environment: Centos 6.5 x64

Postfix mail system installed, found Maillog too many "SASL LOGIN authentication failed" Junk IP address. This script is used to automatically add the garbage IP to the firewall, and reject it directly. Maillog part of the information is as follows

users can flexibly adjust the IP address to be added to the firewall based on the keywords in their log files.

June 03:58:36 host postfix/smtpd[11783]: warning:static-200-105-200-14.acelerate.net[200.105.200.14]: SASL LOGIN authentication failed: Authentication failure

June one 03:58:36 host postfix/smtpd[11783]: Disconnect from static-200-105-200-14.acelerate.net[200.105.200.14]

June one 04:01:56 host postfix/anvil[11785]: Statistics:max connection rate 1/60s for (smtp:200.105.200.14) at June 11 03:58 : 33

June one 04:01:56 host postfix/anvil[11785]: Statistics:max Connection Count 1 for (smtp:200.105.200.14) at June 11 03:58:33

June one 04:01:56 host postfix/anvil[11785]: Statistics:max Cache Size 1 at June 11 03:58:33

June 04:07:13 host postfix/smtpd[11811]: Warning:191.8.183.187:hostname 191-8-183-187.user.vivozap.com.br Verification Failed:name or service not known

June one 04:07:13 host postfix/smtpd[11811]: Connect from unknown[191.8.183.187]

June one 04:07:15 host postfix/smtpd[11811]: warning:unknown[191.8.183.187]: SASL LOGIN authentication failed: AU Thentication failure

June one 04:07:16 host postfix/smtpd[11811]: Disconnect from unknown[191.8.183.187]

June one 04:10:00 host postfix/smtpd[11817]: Connect from unknown[186.179.219.145]

June 04:10:01 host postfix/smtpd[11817]: warning:unknown[186.179.219.145]: SASL LOGIN authentication failed: Authentication failure

June one 04:10:02 host postfix/smtpd[11817]: Disconnect from unknown[186.179.219.145]

June one 04:12:53 host postfix/smtpd[11822]: Connect from 187-162-93-226.static.axtel.net[187.162.93.226]

June 04:12:54 host postfix/smtpd[11822]: warning:187-162-93-226.static.axtel.net[187.162.93.226]: SASL LOGIN authentication failed : Authentication Failure

June one 04:12:54 host postfix/smtpd[11822]: Disconnect from 187-162-93-226.static.axtel.net[187.162.93.226]

June 04:15:42 host postfix/smtpd[11827]: Warning:191.8.183.187:hostname 191-8-183-187.user.vivozap.com.br Verification Failed:name or service not known

June one 04:15:42 host postfix/smtpd[11827]: Connect from unknown[191.8.183.187]

June 04:15:44 host postfix/smtpd[11827]: warning:unknown[191.8.183.187]: SASL LOGIN authentication Failed:authenticat Ion failure

June one 04:15:45 host postfix/smtpd[11827]: Disconnect from unknown[191.8.183.187]

June one 04:17:13 host postfix/anvil[11813]: Statistics:max Cache Size 1 at June 11 04:07:13

June one 04:21:27 host postfix/smtpd[11842]: warning:201.20.89.190:hostname 201-20-89-190.baydenet.com.br Verification Failed:name or service not known

June one 04:21:27 host postfix/smtpd[11842]: Connect from unknown[201.20.89.190]

June one 04:21:29 host postfix/smtpd[11842]: warning:unknown[201.20.89.190]: SASL LOGIN authentication failed: AU Thentication failure

[[email protected]] cd/etc/postfix/

[Email protected] postfix]# VI ipadd

#!/bin/bash

# Block Maillog SASL LOGIN authentication failed IP address and add to Iptables

# Written by Evan.li 2017.06.13

Iptables=/sbin/iptables

Egrep=/bin/egrep

Country= "CN"

Iptables-f

Iptables-x

Ip_regex= "[[:d igit:]]{1,3}\. [[:d Igit:]] {1,3}\. [[:d Igit:]] {1,3}\. [[:d Igit:]] {1,3} "

Grep-r "SASL LOGIN authentication failed"/var/log/maillog >/var/log/sasl-failed.txt

find/var/log/-name "sasl-failed.txt"-type f-print | Xargs Cat | Egrep-o $ip _regex | Sort | Uniq >/var/log/ipfailed.txt

For C in $COUNTRY

Do

Country_file=/var/log/ipfailed.txt

ips=$ ($EGREP-V "^#|^$" $country _file)

For IP in $IPS

Do

echo "Blocking $ip"

$IPTABLES-A input-s $ip-j DROP

Done

Done

/etc/sysconfig/customrules

/etc/rc.d/init.d/iptables Save

Service Iptables Restart

Exit 0

Shell Script Description

One, Mr. SASL file with "the" "LOGIN Authentication failed" keyword/var/log/sasl-failed.txt

Second, according to Sasl-failed.txt, from which to extract the garbage IP, generate a pure IP file/var/log/ipfailed.txt

Third, use a script to import the pure IP file into the firewall, restart the service to take effect.

The Customrules file is a firewall custom rule that needs to be written manually in advance according to your original firewall rules.

After this script executes, it clears the original Iptables rule content, so be sure to back up the Iptabels file beforehand, just in case.

The following, for my company's original firewall rules file.

[Email protected] postfix]# vi/etc/sysconfig/customrules

Iptables-a input-m State--state related,established-j ACCEPT

Iptables-a input-p icmp-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a input-p tcp-m State--state new-m TCP--dport 22-j ACCEPT

Iptables-a input-p tcp-m multiport--dports 25,47,80,82,110,143,443,1723,1935-j ACCEPT

Iptables-a input-p tcp-m multiport--dports 3306,8081,8181,22110,13128,13389-j ACCEPT

Iptables-a input-p tcp-m TCP--dport 23300:23308-j ACCEPT

Iptables-a input-j REJECT--reject-with icmp-host-prohibited

Iptables-a forward-j REJECT--reject-with icmp-host-prohibited

Add executable permissions

[Email protected] postfix]# chmod +x/etc/sysconfig/customrules

[Email protected] postfix]# chmod +x/etc/postfix/ipadd

Added to Scheduled tasks, executed every 1 hours

[Email protected] postfix]# vi/etc/crontab

0 */1 * * * root/etc/postfix/ipadd

http://down.51cto.com/data/2316790

Ipadd Script

Above shell script, tested successfully on 2017.6.13 day

This article is from the "Virtualized apps" blog, so be sure to keep this source http://liwenhn.blog.51cto.com/854522/1935009

Dynamically analyze Maillog logs with shell scripts to disable malicious IP firewall