Looking for a script to scan zimbra logs and add IP's to ufw rules

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
copowpow
Posts: 19
Joined: Mon Mar 26, 2018 3:34 pm

Looking for a script to scan zimbra logs and add IP's to ufw rules

Postby copowpow » Wed Apr 17, 2019 5:14 pm

Just as the title says, im looking for a script to scan zimbra logs and add IP's to ufw rules. Also looking for advice as to whether this is a bad idea or not. Heres an example entry from our log, I want to add the 333.333.333.333 ip to the ufw block list:

Mar 17 12:00:18 mail postfix/smtpd[19842]: NOQUEUE: reject: RCPT from unknown[333.333.333.333]: 450 4.7.25 Client host rejected: cannot find your hostname, [333.333.333.333]; from=<example@example.com> to=<example@example.com> proto=ESMTP helo=<example.example.com>

Has anyone produced a script that does this?

Thoughts?


phoenix
Ambassador
Ambassador
Posts: 26285
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Postby phoenix » Wed Apr 17, 2019 5:58 pm

Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
copowpow
Posts: 19
Joined: Mon Mar 26, 2018 3:34 pm

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Postby copowpow » Wed Apr 17, 2019 6:37 pm




Thanks Bill, shortly after I posted this I figured someone would answer with fail2ban. Fail2ban has its place thats for sure, I was looking for something more lightweight then fail2ban, like a standalone shell script that feeds rules or offending IP's directly into ufw (or even just a txt file) of instead of the underlying iptables.

I guess i should just wrote a grep script from scratch haha
phoenix
Ambassador
Ambassador
Posts: 26285
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Postby phoenix » Wed Apr 17, 2019 6:45 pm

I don't use fail2ban but doesn't it do exactly what you want , can't it be modified for UFW?
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
copowpow
Posts: 19
Joined: Mon Mar 26, 2018 3:34 pm

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Postby copowpow » Thu Apr 18, 2019 7:23 pm

I started looking into this, here is my first attempt:

Code: Select all

cat zimbra.log | grep "cannot find your hostname" > cantfind.txt && cat cantfind.txt | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq | sort -n > ips.txt


That gets me a list of offending IP's now to figure out how to add them to the ufw
copowpow
Posts: 19
Joined: Mon Mar 26, 2018 3:34 pm

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Postby copowpow » Fri Apr 19, 2019 7:46 pm

I got some help! Had to work around zimbra's apparent double compression on the log files. Theses will add the IPS's with 50 or more attempts to the ufw deny rules

Best:

Code: Select all

cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | sed -n -e 's/.*cannot find your hostname...\([\.0-9]\{7,15\}\).*/\1/p' | awk '{ a[$0] += 1 } END { for (ip in a) { if (a[ip] >= 50) { print ip; }}}' | xargs -r ufw deny from


Also good :

Code: Select all

cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | awk 'match($0,/unknown\[([\.0-9]+)\]/,m) && (a[m[1]]+=1)==50 && system("ufw deny from " m[1])'

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 10 guests