Just as the title says, im looking for a script to scan zimbra logs and add IP's to ufw rules. Also looking for advice as to whether this is a bad idea or not. Heres an example entry from our log, I want to add the 333.333.333.333 ip to the ufw block list:
Mar 17 12:00:18 mail postfix/smtpd[19842]: NOQUEUE: reject: RCPT from unknown[333.333.333.333]: 450 4.7.25 Client host rejected: cannot find your hostname, [333.333.333.333]; from=<example@example.com> to=<example@example.com> proto=ESMTP helo=<example.example.com>
Has anyone produced a script that does this?
Thoughts?
Looking for a script to scan zimbra logs and add IP's to ufw rules
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
phoenix wrote:How about fail2ban: https://www.startpage.com/do/dsearch?qu ... ge=english
Thanks Bill, shortly after I posted this I figured someone would answer with fail2ban. Fail2ban has its place thats for sure, I was looking for something more lightweight then fail2ban, like a standalone shell script that feeds rules or offending IP's directly into ufw (or even just a txt file) of instead of the underlying iptables.
I guess i should just wrote a grep script from scratch haha
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
I don't use fail2ban but doesn't it do exactly what you want , can't it be modified for UFW?
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
I started looking into this, here is my first attempt:
That gets me a list of offending IP's now to figure out how to add them to the ufw
Code: Select all
cat zimbra.log | grep "cannot find your hostname" > cantfind.txt && cat cantfind.txt | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq | sort -n > ips.txt
Re: Looking for a script to scan zimbra logs and add IP's to ufw rules
I got some help! Had to work around zimbra's apparent double compression on the log files. Theses will add the IPS's with 50 or more attempts to the ufw deny rules
Best:
Also good :
Best:
Code: Select all
cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | sed -n -e 's/.*cannot find your hostname...\([\.0-9]\{7,15\}\).*/\1/p' | awk '{ a[$0] += 1 } END { for (ip in a) { if (a[ip] >= 50) { print ip; }}}' | xargs -r ufw deny from
Code: Select all
cp /var/log/zimbra.log.1.gz /home/user && gunzip -d /home/user/zimbra.log.1.gz && mv /home/user/zimbra.log.1 /home/user/zimbra.log.1.gz && gunzip -d /home/user/zimbra.log.1.gz --to-stdout | awk 'match($0,/unknown\[([\.0-9]+)\]/,m) && (a[m[1]]+=1)==50 && system("ufw deny from " m[1])'