用Shell脚本动态分析maillog日志,把恶意IP用防火墙禁止
2017-06-13 16:09
549 查看
用Shell脚本动态分析maillog日志,把恶意IP用防火墙禁止系统环境:Centos 6.5 x64
Postfix邮件系统装好后,发现maillog中太多“SASL LOGIN authentication failed”垃圾IP地址。此脚本用于定期自动的将垃圾IP加入到防火墙中,直接拒绝掉。maillog部分信息如下
用户可以根据自己日志文件中的关键字,灵活的来调整要加入到防火墙当中的IP地址。
Jun 11 03:58:36 host postfix/smtpd[11783]: warning: static-200-105-200-14.acelerate.net[200.105.200.14]: SASL LOGIN authentication failed: authentication failure
Jun 11 03:58:36 host postfix/smtpd[11783]: disconnect from static-200-105-200-14.acelerate.net[200.105.200.14]
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection rate 1/60s for (smtp:200.105.200.14) at Jun 11 03:58:33
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection count 1 for (smtp:200.105.200.14) at Jun 11 03:58:33
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max cache size 1 at Jun 11 03:58:33
Jun 11 04:07:13 host postfix/smtpd[11811]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known
Jun 11 04:07:13 host postfix/smtpd[11811]: connect from unknown[191.8.183.187]
Jun 11 04:07:15 host postfix/smtpd[11811]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:07:16 host postfix/smtpd[11811]: disconnect from unknown[191.8.183.187]
Jun 11 04:10:00 host postfix/smtpd[11817]: connect from unknown[186.179.219.145]
Jun 11 04:10:01 host postfix/smtpd[11817]: warning: unknown[186.179.219.145]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:10:02 host postfix/smtpd[11817]: disconnect from unknown[186.179.219.145]
Jun 11 04:12:53 host postfix/smtpd[11822]: connect from 187-162-93-226.static.axtel.net[187.162.93.226]
Jun 11 04:12:54 host postfix/smtpd[11822]: warning: 187-162-93-226.static.axtel.net[187.162.93.226]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:12:54 host postfix/smtpd[11822]: disconnect from 187-162-93-226.static.axtel.net[187.162.93.226]
Jun 11 04:15:42 host postfix/smtpd[11827]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known
Jun 11 04:15:42 host postfix/smtpd[11827]: connect from unknown[191.8.183.187]
Jun 11 04:15:44 host postfix/smtpd[11827]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:15:45 host postfix/smtpd[11827]: disconnect from unknown[191.8.183.187]
Jun 11 04:17:13 host postfix/anvil[11813]: statistics: max cache size 1 at Jun 11 04:07:13
Jun 11 04:21:27 host postfix/smtpd[11842]: warning: 201.20.89.190: hostname 201-20-89-190.baydenet.com.br verification failed: Name or service not known
Jun 11 04:21:27 host postfix/smtpd[11842]: connect from unknown[201.20.89.190]
Jun 11 04:21:29 host postfix/smtpd[11842]: warning: unknown[201.20.89.190]: SASL LOGIN authentication failed: authentication failure
[root@host ] cd /etc/postfix/
[root@host postfix]# vi ipadd
#!/bin/bash
# Block maillog SASL LOGIN authentication failed IP address and add to iptables
# written by evan.li 2017.06.13
IPTABLES=/sbin/iptables
EGREP=/bin/egrep
COUNTRY="cn"
iptables -F
iptables -X
ip_regex="[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}"
grep -r "SASL LOGIN authentication failed" /var/log/maillog > /var/log/sasl-failed.txt
find /var/log/ -name "sasl-failed.txt" -type f -print | xargs cat | egrep -o $ip_regex | sort | uniq > /var/log/ipfailed.txt
for c in $COUNTRY
do
country_file=/var/log/ipfailed.txt
IPS=$($EGREP -v "^#|^$" $country_file)
for ip in $IPS
do
echo "blocking $ip"
$IPTABLES -A INPUT -s $ip -j DROP
done
done
/etc/sysconfig/customrules
/etc/rc.d/init.d/iptables save
service iptables restart
exit 0
shell脚本说明
一、先生成带用“SASL LOGIN authentication failed”关键字的文件/var/log/sasl-failed.txt
二、根据sasl-failed.txt,从中提取出垃圾IP,且不会重复相同IP,生成纯IP文件/var/log/ipfailed.txt
三、用脚本将纯IP文件导入进防火墙中,重起服务生效。
customrules文件为防火墙自定义规则,需事先按照你原有防火墙规则,手动编写好。
此脚本执行后,会清除原有iptables规则内容,所以事先一定要备份iptabels文件,以防万一。
以下,为我公司原有防火墙规则文件。
[root@host postfix]# vi /etc/sysconfig/customrules
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 25,47,80,82,110,143,443,1723,1935 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 3306,8081,8181,22110,13128,13389 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 23300:23308 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
添加可执行权限
[root@host postfix]# chmod +x /etc/sysconfig/customrules
[root@host postfix]# chmod +x /etc/postfix/ipadd
添加到排程任务,每30分钟执行一次
[root@host postfix]# vi /etc/crontab
*/30 * * * * root /etc/postfix/ipadd
http://down.51cto.com/data/2316790
ipadd脚本下载地址
以上Shell脚本,测试成功于2017.6.13日
Postfix邮件系统装好后,发现maillog中太多“SASL LOGIN authentication failed”垃圾IP地址。此脚本用于定期自动的将垃圾IP加入到防火墙中,直接拒绝掉。maillog部分信息如下
用户可以根据自己日志文件中的关键字,灵活的来调整要加入到防火墙当中的IP地址。
Jun 11 03:58:36 host postfix/smtpd[11783]: warning: static-200-105-200-14.acelerate.net[200.105.200.14]: SASL LOGIN authentication failed: authentication failure
Jun 11 03:58:36 host postfix/smtpd[11783]: disconnect from static-200-105-200-14.acelerate.net[200.105.200.14]
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection rate 1/60s for (smtp:200.105.200.14) at Jun 11 03:58:33
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection count 1 for (smtp:200.105.200.14) at Jun 11 03:58:33
Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max cache size 1 at Jun 11 03:58:33
Jun 11 04:07:13 host postfix/smtpd[11811]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known
Jun 11 04:07:13 host postfix/smtpd[11811]: connect from unknown[191.8.183.187]
Jun 11 04:07:15 host postfix/smtpd[11811]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:07:16 host postfix/smtpd[11811]: disconnect from unknown[191.8.183.187]
Jun 11 04:10:00 host postfix/smtpd[11817]: connect from unknown[186.179.219.145]
Jun 11 04:10:01 host postfix/smtpd[11817]: warning: unknown[186.179.219.145]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:10:02 host postfix/smtpd[11817]: disconnect from unknown[186.179.219.145]
Jun 11 04:12:53 host postfix/smtpd[11822]: connect from 187-162-93-226.static.axtel.net[187.162.93.226]
Jun 11 04:12:54 host postfix/smtpd[11822]: warning: 187-162-93-226.static.axtel.net[187.162.93.226]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:12:54 host postfix/smtpd[11822]: disconnect from 187-162-93-226.static.axtel.net[187.162.93.226]
Jun 11 04:15:42 host postfix/smtpd[11827]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known
Jun 11 04:15:42 host postfix/smtpd[11827]: connect from unknown[191.8.183.187]
Jun 11 04:15:44 host postfix/smtpd[11827]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure
Jun 11 04:15:45 host postfix/smtpd[11827]: disconnect from unknown[191.8.183.187]
Jun 11 04:17:13 host postfix/anvil[11813]: statistics: max cache size 1 at Jun 11 04:07:13
Jun 11 04:21:27 host postfix/smtpd[11842]: warning: 201.20.89.190: hostname 201-20-89-190.baydenet.com.br verification failed: Name or service not known
Jun 11 04:21:27 host postfix/smtpd[11842]: connect from unknown[201.20.89.190]
Jun 11 04:21:29 host postfix/smtpd[11842]: warning: unknown[201.20.89.190]: SASL LOGIN authentication failed: authentication failure
[root@host ] cd /etc/postfix/
[root@host postfix]# vi ipadd
#!/bin/bash
# Block maillog SASL LOGIN authentication failed IP address and add to iptables
# written by evan.li 2017.06.13
IPTABLES=/sbin/iptables
EGREP=/bin/egrep
COUNTRY="cn"
iptables -F
iptables -X
ip_regex="[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}"
grep -r "SASL LOGIN authentication failed" /var/log/maillog > /var/log/sasl-failed.txt
find /var/log/ -name "sasl-failed.txt" -type f -print | xargs cat | egrep -o $ip_regex | sort | uniq > /var/log/ipfailed.txt
for c in $COUNTRY
do
country_file=/var/log/ipfailed.txt
IPS=$($EGREP -v "^#|^$" $country_file)
for ip in $IPS
do
echo "blocking $ip"
$IPTABLES -A INPUT -s $ip -j DROP
done
done
/etc/sysconfig/customrules
/etc/rc.d/init.d/iptables save
service iptables restart
exit 0
shell脚本说明
一、先生成带用“SASL LOGIN authentication failed”关键字的文件/var/log/sasl-failed.txt
二、根据sasl-failed.txt,从中提取出垃圾IP,且不会重复相同IP,生成纯IP文件/var/log/ipfailed.txt
三、用脚本将纯IP文件导入进防火墙中,重起服务生效。
customrules文件为防火墙自定义规则,需事先按照你原有防火墙规则,手动编写好。
此脚本执行后,会清除原有iptables规则内容,所以事先一定要备份iptabels文件,以防万一。
以下,为我公司原有防火墙规则文件。
[root@host postfix]# vi /etc/sysconfig/customrules
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 25,47,80,82,110,143,443,1723,1935 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 3306,8081,8181,22110,13128,13389 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 23300:23308 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
添加可执行权限
[root@host postfix]# chmod +x /etc/sysconfig/customrules
[root@host postfix]# chmod +x /etc/postfix/ipadd
添加到排程任务,每30分钟执行一次
[root@host postfix]# vi /etc/crontab
*/30 * * * * root /etc/postfix/ipadd
http://down.51cto.com/data/2316790
ipadd脚本下载地址
以上Shell脚本,测试成功于2017.6.13日
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 动态分析maillog日志,把恶意链接直接用防火墙禁止
- 动态分析maillog日志,把恶意链接直接用防火墙禁止
- 短信发送接口被恶意访问的网络攻击事件(三)定位恶意IP的日志分析脚本
- 短信发送接口被恶意访问的网络攻击事件(三)定位恶意IP的日志分析脚本
- shell脚本分析mysql慢查询日志(slow log)
- 使用数据库脚本方式分析SqlServer2005数据库中的LOG日志
- 日志文件分析shell脚本六次提速过程
- shell脚本分析 nginx日志访问次数最多及最耗时的页面(慢查询)
- Nginx 0.8.5版本access.log日志分析shell命令
- Shell脚本实现分析apache日志中ip所在的地区
- accesslog或者cookie'log的shell常用分析脚本
- 日志分析的shell脚本
- ORACLE动态完全数据日志(AUDIT LOG)批处理生成脚本
- 日志分析的shell脚本
- Shell: extract more from listener.log(分析监听日志)
- shell脚本实现的网站日志分析统计(可以统计9种数据)
- accesslog或者cookie'log的shell常用分析脚本
- accesslog或者cookie'log的shell常用分析脚本
- 防火墙脚本, 通过access.log 封锁IP
- shell脚本分析 nginx日志访问次数最多及最耗时的页面(慢查询)