- awk
- ipset & iptables
Read your mail log for authentication failure:
create this bash script ckmail.sh or download
#!/bin/bash
## create by dedetok April 2016
## GNU GPL v3
echo "reading mail log file"
awk '(/authentication failure/) { print $7," ",$(NF-1)," ",$(NF)}' /var/log/mail
.log | sort | uniq -c | {
while read -r line1 line2 line3 line4
do
if [ "$line1" -ge 5 ]; then
echo -e "$line1\t$line2 $line3 $line4"
fi
done
}
create ipset rules for blacklisting smpt
# ipset create mynetrulessmtpd hash:net
Run script and pupulate mynetrulessmtpd:
# ./ckmail.sh
reading mail log file
20 unknown[157.122.148.154]: authentication failure
840 unknown[195.22.127.187]: authentication failure
16 unknown[91.193.74.31]: authentication failure
# ipset add mynetrulessmtpd 157.122.148.154
# ipset add mynetrulessmtpd 195.22.127.187
# ipset add mynetrulessmtpd 91.193.74.31
Add ipset rules into iptables rules
# iptables -I INPUT -p tcp --match multiport --dports smtp,smtps -m set --match-set mynetrulessmtpd src -j DROP
No comments:
Post a Comment