用Shell脚本动态分析maillog日志，把恶意IP用防火墙禁止

用Shell脚本动态分析maillog日志，把恶意IP用防火墙禁止

系统环境：Centos 6.5 x64

Postfix邮件系统装好后，发现maillog中太多“SASL LOGIN authentication failed”垃圾IP地址。此脚本用于定期自动的将垃圾IP加入到防火墙中，直接拒绝掉。maillog部分信息如下

用户可以根据自己日志文件中的关键字，灵活的来调整要加入到防火墙当中的IP地址。

Jun 11 03:58:36 host postfix/smtpd[11783]: warning: static-200-105-200-14.acelerate.net[200.105.200.14]: SASL LOGIN authentication failed: authentication failure

Jun 11 03:58:36 host postfix/smtpd[11783]: disconnect from static-200-105-200-14.acelerate.net[200.105.200.14]

Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection rate 1/60s for (smtp:200.105.200.14) at Jun 11 03:58:33

Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection count 1 for (smtp:200.105.200.14) at Jun 11 03:58:33

Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max cache size 1 at Jun 11 03:58:33

Jun 11 04:07:13 host postfix/smtpd[11811]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known

Jun 11 04:07:13 host postfix/smtpd[11811]: connect from unknown[191.8.183.187]

Jun 11 04:07:15 host postfix/smtpd[11811]: warning: unknown[191.8.183.187]: Jun 11 04:07:16 host postfix/smtpd[11811]: disconnect from unknown[191.8.183.187]

Jun 11 04:10:00 host postfix/smtpd[11817]: connect from unknown[186.179.219.145]

Jun 11 04:10:01 host postfix/smtpd[11817]: warning: unknown[186.179.219.145]: Jun 11 04:10:02 host postfix/smtpd[11817]: disconnect from unknown[186.179.219.145]

Jun 11 04:12:53 host postfix/smtpd[11822]: connect from 187-162-93-226.static.axtel.net[187.162.93.226]

Jun 11 04:12:54 host postfix/smtpd[11822]: warning: 187-162-93-226.static.axtel.net[187.162.93.226]: SASL LOGIN authentication failed: authentication failure

Jun 11 04:12:54 host postfix/smtpd[11822]: disconnect from 187-162-93-226.static.axtel.net[187.162.93.226]

Jun 11 04:15:42 host postfix/smtpd[11827]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known

Jun 11 04:15:42 host postfix/smtpd[11827]: connect from unknown[191.8.183.187]

Jun 11 04:15:44 host postfix/smtpd[11827]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure

Jun 11 04:15:45 host postfix/smtpd[11827]: disconnect from unknown[191.8.183.187]

Jun 11 04:17:13 host postfix/anvil[11813]: statistics: max cache size 1 at Jun 11 04:07:13

Jun 11 04:21:27 host postfix/smtpd[11842]: warning: 201.20.89.190: hostname 201-20-89-190.baydenet.com.br verification failed: Name or service not known

Jun 11 04:21:27 host postfix/smtpd[11842]: connect from unknown[201.20.89.190]

Jun 11 04:21:29 host postfix/smtpd[11842]: warning: unknown[201.20.89.190]: SASL LOGIN authentication failed: authentication failure

[root@host ]cd /etc/postfix/

[root@host postfix]# vi ipadd

#!/bin/bash

# Block maillog SASL LOGIN authentication failed IP address and add to iptables

# written by evan.li 2017.06.13

IPTABLES=/sbin/iptables

EGREP=/bin/egrep

COUNTRY="cn"

iptables -F

iptables -X

ip_regex="[[:digit:]]{1,3}.[[:digit:]]{1,3}"

grep -r "SASL LOGIN authentication failed" /var/log/maillog > /var/log/sasl-failed.txt

find /var/log/ -name "sasl-failed.txt" -type f -print | xargs cat | egrep -o $ip_regex | sort | uniq > /var/log/ipfailed.txt

for c in $COUNTRY

do

country_file=/var/log/ipfailed.txt

IPS=$($EGREP -v "^#|^$" $country_file)

for ip in $IPS

do

echo "blocking $ip"

$IPTABLES -A INPUT -s $ip -j DROP

done

done

/etc/sysconfig/customrules

/etc/rc.d/init.d/iptables save

service iptables restart

exit 0

shell脚本说明

一、先生成带用“SASL LOGIN authentication failed”关键字的文件/var/log/sasl-failed.txt

二、根据sasl-failed.txt，从中提取出垃圾IP，且不会重复相同IP，生成纯IP文件/var/log/ipfailed.txt

三、用脚本将纯IP文件导入进防火墙中，重起服务生效。

customrules文件为防火墙自定义规则，需事先按照你原有防火墙规则，手动编写好。

此脚本执行后，会清除原有iptables规则内容，所以事先一定要备份iptabels文件，以防万一。

以下，为我公司原有防火墙规则文件。

[root@host postfix]#vi/etc/sysconfig/customrules

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports 25,47,80,82,110,143,443,1723,1935 -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports 3306,8081,8181,22110,13128,13389 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 23300:23308 -j ACCEPT

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

添加可执行权限

[root@host postfix]#chmod +x /etc/sysconfig/customrules

[root@host postfix]#chmod +x /etc/postfix/ipadd

添加到排程任务，每30分钟执行一次

[root@host postfix]#vi /etc/crontab

*/30 * * * * root /etc/postfix/ipadd

http://down.51cto.com/data/2316790

ipadd脚本下载地址

以上Shell脚本，测试成功于2017.6.13日

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!