Re: blocking 465 connections to mail server for specific IP address without using fail2ban
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Slightly improved shell script, uses iprange once and conflates both
lists together.
#!/bin/bash
declare -a tcp25_set tcp465_set tcp_25_465_set
banned_ports_list=25,465,993,995
logwatch_file=/var/log/exim4/logwatch-email-20190622a.eml
# NB iprange will cleanup and uniquely sort the ip addresses list
# - this /may/ also conflate plain ip entries to CIDR entries
tcp25_set=(
$(
grep 'login_saslauthd authenticator failed for.*:25:' \
"${logwatch_file}" | sed \
-e 's/^.*login_saslauthd authenticator failed for //' \
-e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|sort -u
)
)
tcp465_set=(
$(
grep 'login_saslauthd authenticator failed for.*:465:' \
"${logwatch_file}" | sed \
-e 's/^.*login_saslauthd authenticator failed for //' \
-e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|sort -u
)
)
# create sorted & unique ip set tcp_25_465_set
tcp_25_465_set=(
$(
(
printf "%s\n" "${tcp25_set[@]}"
printf "%s\n" "${tcp465_set[@]}"
) |iprange
)
)
# delete iptables rules if they exist
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-net src -j DROP
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-ip src -j DROP
# destroy ipset bad-exim4-exploiters lists (if they exist)
ipset destroy bad-exim4-exploiters-net
ipset destroy bad-exim4-exploiters-ip
# create new ipset lists
ipset create bad-exim4-exploiters-net hash:net
ipset create bad-exim4-exploiters-ip hash:ip
# add entries for ipset bad-exim4-exploiters lists
for badip in "${tcp_25_465_set[@]}"
do
# only add entries if they are not already existing
if [[ -z "${badip##*\/*}" ]]
then
ipset add bad-exim4-exploiters-net "${badip}" -exist
else
ipset add bad-exim4-exploiters-ip "${badip}" -exist
fi
done
# add iptables rules to use ipsets
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-net src -j DROP
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-ip src -j DROP
-----BEGIN PGP SIGNATURE-----
iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ49YAAKCRCoFmvLt+/i
+2PwAP0eneL250uCwwz2Mb1yZlgNJjwWIrzgWXirvSCthM8JJAD+Kzioc/WgCtnA
YG89Zzv/AxgiLPlJJZ3INQ3eGLlFKiQ=
=vGhQ
-----END PGP SIGNATURE-----
Reply to: