[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking 465 connections to mail server for specific IP address without using fail2ban

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Slightly improved shell script, uses iprange once and conflates both
lists together.


#!/bin/bash

declare -a tcp25_set tcp465_set tcp_25_465_set

banned_ports_list=25,465,993,995

logwatch_file=/var/log/exim4/logwatch-email-20190622a.eml


# NB iprange will cleanup and uniquely sort the ip addresses list
#  - this /may/ also conflate plain ip entries to CIDR entries

tcp25_set=(
    $(
        grep 'login_saslauthd authenticator failed for.*:25:' \
         "${logwatch_file}" | sed \
            -e 's/^.*login_saslauthd authenticator failed for //' \
            -e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|sort -u
    )
)

tcp465_set=(
    $(
        grep 'login_saslauthd authenticator failed for.*:465:' \
         "${logwatch_file}" | sed \
            -e 's/^.*login_saslauthd authenticator failed for //' \
            -e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|sort -u
    )
)

# create sorted & unique ip set tcp_25_465_set
tcp_25_465_set=(
    $(
        (
        printf "%s\n" "${tcp25_set[@]}"
        printf "%s\n" "${tcp465_set[@]}"
        ) |iprange
    )
)

# delete iptables rules if they exist
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
        -m set --match-set bad-exim4-exploiters-net src -j DROP

iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
        -m set --match-set bad-exim4-exploiters-ip  src -j DROP

# destroy ipset bad-exim4-exploiters lists (if they exist)
ipset destroy bad-exim4-exploiters-net
ipset destroy bad-exim4-exploiters-ip

# create new ipset lists
ipset create  bad-exim4-exploiters-net  hash:net
ipset create  bad-exim4-exploiters-ip   hash:ip

# add entries for ipset bad-exim4-exploiters lists
for badip in "${tcp_25_465_set[@]}"
do
    # only add entries if they are not already existing
    if [[ -z "${badip##*\/*}" ]]
    then
        ipset add bad-exim4-exploiters-net "${badip}" -exist
    else
        ipset add bad-exim4-exploiters-ip  "${badip}" -exist
    fi
done

# add iptables rules to use ipsets
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
        -m set --match-set bad-exim4-exploiters-net src -j DROP

iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
        -m set --match-set bad-exim4-exploiters-ip  src -j DROP


-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ49YAAKCRCoFmvLt+/i
+2PwAP0eneL250uCwwz2Mb1yZlgNJjwWIrzgWXirvSCthM8JJAD+Kzioc/WgCtnA
YG89Zzv/AxgiLPlJJZ3INQ3eGLlFKiQ=
=vGhQ
-----END PGP SIGNATURE-----
Reply to: