Page 1 of 1

Looking for a script to scan zimbra logs and add IP's to ufw rules

Posted: Wed Apr 17, 2019 5:14 pm
by copowpow
Just as the title says, im looking for a script to scan zimbra logs and add IP's to ufw rules. Also looking for advice as to whether this is a bad idea or not. Heres an example entry from our log, I want to add the 333.333.333.333 ip to the ufw block list:

Mar 17 12:00:18 mail postfix/smtpd[19842]: NOQUEUE: reject: RCPT from unknown[333.333.333.333]: 450 4.7.25 Client host rejected: cannot find your hostname, [333.333.333.333]; from=<example@example.com> to=<example@example.com> proto=ESMTP helo=<example.example.com>

Has anyone produced a script that does this?

Thoughts?

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Posted: Wed Apr 17, 2019 5:58 pm
by phoenix

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Posted: Wed Apr 17, 2019 6:37 pm
by copowpow



Thanks Bill, shortly after I posted this I figured someone would answer with fail2ban. Fail2ban has its place thats for sure, I was looking for something more lightweight then fail2ban, like a standalone shell script that feeds rules or offending IP's directly into ufw (or even just a txt file) of instead of the underlying iptables.

I guess i should just wrote a grep script from scratch haha

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Posted: Wed Apr 17, 2019 6:45 pm
by phoenix
I don't use fail2ban but doesn't it do exactly what you want , can't it be modified for UFW?

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Posted: Thu Apr 18, 2019 7:23 pm
by copowpow
I started looking into this, here is my first attempt:

Code: Select all

cat zimbra.log | grep "cannot find your hostname" > cantfind.txt && cat cantfind.txt | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq | sort -n > ips.txt


That gets me a list of offending IP's now to figure out how to add them to the ufw

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Posted: Fri Apr 19, 2019 7:46 pm
by copowpow
I got some help! Had to work around zimbra's apparent double compression on the log files. Theses will add the IPS's with 50 or more attempts to the ufw deny rules

Best:

Code: Select all

cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | sed -n -e 's/.*cannot find your hostname...\([\.0-9]\{7,15\}\).*/\1/p' | awk '{ a[$0] += 1 } END { for (ip in a) { if (a[ip] >= 50) { print ip; }}}' | xargs -r ufw deny from


Also good :

Code: Select all

cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | awk 'match($0,/unknown\[([\.0-9]+)\]/,m) && (a[m[1]]+=1)==50 && system("ufw deny from " m[1])'