Page 1 of 1
Looking for a script to scan zimbra logs and add IP's to ufw rules
Posted: Wed Apr 17, 2019 5:14 pm
by copowpow
Just as the title says, im looking for a script to scan zimbra logs and add IP's to ufw rules. Also looking for advice as to whether this is a bad idea or not. Heres an example entry from our log, I want to add the 333.333.333.333 ip to the ufw block list:
Mar 17 12:00:18 mail postfix/smtpd[19842]: NOQUEUE: reject: RCPT from unknown[333.333.333.333]: 450 4.7.25 Client host rejected: cannot find your hostname, [333.333.333.333]; from=<example@example.com> to=<example@example.com> proto=ESMTP helo=<example.example.com>
Has anyone produced a script that does this?
Thoughts?
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
Posted: Wed Apr 17, 2019 5:58 pm
by phoenix
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
Posted: Wed Apr 17, 2019 6:37 pm
by copowpow
Thanks Bill, shortly after I posted this I figured someone would answer with fail2ban. Fail2ban has its place thats for sure, I was looking for something more lightweight then fail2ban, like a standalone shell script that feeds rules or offending IP's directly into ufw (or even just a txt file) of instead of the underlying iptables.
I guess i should just wrote a grep script from scratch haha
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
Posted: Wed Apr 17, 2019 6:45 pm
by phoenix
I don't use fail2ban but doesn't it do exactly what you want , can't it be modified for UFW?
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
Posted: Thu Apr 18, 2019 7:23 pm
by copowpow
I started looking into this, here is my first attempt:
Code: Select all
cat zimbra.log | grep "cannot find your hostname" > cantfind.txt && cat cantfind.txt | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq | sort -n > ips.txt
That gets me a list of offending IP's now to figure out how to add them to the ufw
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
Posted: Fri Apr 19, 2019 7:46 pm
by copowpow
I got some help! Had to work around zimbra's apparent double compression on the log files. Theses will add the IPS's with 50 or more attempts to the ufw deny rules
Best:
Code: Select all
cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | sed -n -e 's/.*cannot find your hostname...\([\.0-9]\{7,15\}\).*/\1/p' | awk '{ a[$0] += 1 } END { for (ip in a) { if (a[ip] >= 50) { print ip; }}}' | xargs -r ufw deny from
Also good :
Code: Select all
cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | awk 'match($0,/unknown\[([\.0-9]+)\]/,m) && (a[m[1]]+=1)==50 && system("ufw deny from " m[1])'