Looking for a script to scan zimbra logs and add IP's to ufw rules

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
copowpow
Posts: 20
Joined: Mon Mar 26, 2018 3:34 pm

Looking for a script to scan zimbra logs and add IP's to ufw rules

Post by copowpow »

Just as the title says, im looking for a script to scan zimbra logs and add IP's to ufw rules. Also looking for advice as to whether this is a bad idea or not. Heres an example entry from our log, I want to add the 333.333.333.333 ip to the ufw block list:

Mar 17 12:00:18 mail postfix/smtpd[19842]: NOQUEUE: reject: RCPT from unknown[333.333.333.333]: 450 4.7.25 Client host rejected: cannot find your hostname, [333.333.333.333]; from=<example@example.com> to=<example@example.com> proto=ESMTP helo=<example.example.com>

Has anyone produced a script that does this?

Thoughts?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Post by phoenix »

Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
copowpow
Posts: 20
Joined: Mon Mar 26, 2018 3:34 pm

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Post by copowpow »


Thanks Bill, shortly after I posted this I figured someone would answer with fail2ban. Fail2ban has its place thats for sure, I was looking for something more lightweight then fail2ban, like a standalone shell script that feeds rules or offending IP's directly into ufw (or even just a txt file) of instead of the underlying iptables.

I guess i should just wrote a grep script from scratch haha
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Post by phoenix »

I don't use fail2ban but doesn't it do exactly what you want , can't it be modified for UFW?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
copowpow
Posts: 20
Joined: Mon Mar 26, 2018 3:34 pm

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Post by copowpow »

I started looking into this, here is my first attempt:

Code: Select all

cat zimbra.log | grep "cannot find your hostname" > cantfind.txt && cat cantfind.txt | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq | sort -n > ips.txt
That gets me a list of offending IP's now to figure out how to add them to the ufw
copowpow
Posts: 20
Joined: Mon Mar 26, 2018 3:34 pm

Re: Looking for a script to scan zimbra logs and add IP's to ufw rules

Post by copowpow »

I got some help! Had to work around zimbra's apparent double compression on the log files. Theses will add the IPS's with 50 or more attempts to the ufw deny rules

Best:

Code: Select all

cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | sed -n -e 's/.*cannot find your hostname...\([\.0-9]\{7,15\}\).*/\1/p' | awk '{ a[$0] += 1 } END { for (ip in a) { if (a[ip] >= 50) { print ip; }}}' | xargs -r ufw deny from
Also good :

Code: Select all

cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | awk 'match($0,/unknown\[([\.0-9]+)\]/,m) && (a[m[1]]+=1)==50 && system("ufw deny from " m[1])'
Post Reply