用Shell脚本动态分析maillog日志,把恶意IP用防火墙禁止

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了用Shell脚本动态分析maillog日志,把恶意IP用防火墙禁止相关的知识,希望对你有一定的参考价值。

用Shell脚本动态分析maillog日志,把恶意IP用防火墙禁止

系统环境:Centos 6.5 x64


  Postfix邮件系统装好后,发现maillog中太多“SASL LOGIN authentication failed”垃圾IP地址。此脚本用于定期自动的将垃圾IP加入到防火墙中,直接拒绝掉。maillog部分信息如下

  用户可以根据自己日志文件中的关键字,灵活的来调整要加入到防火墙当中的IP地址。

Jun 11 03:58:36 host postfix/smtpd[11783]: warning: static-200-105-200-14.acelerate.net[200.105.200.14]: SASL LOGIN authentication failed: authentication failure

Jun 11 03:58:36 host postfix/smtpd[11783]: disconnect from static-200-105-200-14.acelerate.net[200.105.200.14]

Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection rate 1/60s for (smtp:200.105.200.14) at Jun 11 03:58:33

Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max connection count 1 for (smtp:200.105.200.14) at Jun 11 03:58:33

Jun 11 04:01:56 host postfix/anvil[11785]: statistics: max cache size 1 at Jun 11 03:58:33

Jun 11 04:07:13 host postfix/smtpd[11811]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known

Jun 11 04:07:13 host postfix/smtpd[11811]: connect from unknown[191.8.183.187]

Jun 11 04:07:15 host postfix/smtpd[11811]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure

Jun 11 04:07:16 host postfix/smtpd[11811]: disconnect from unknown[191.8.183.187]

Jun 11 04:10:00 host postfix/smtpd[11817]: connect from unknown[186.179.219.145]

Jun 11 04:10:01 host postfix/smtpd[11817]: warning: unknown[186.179.219.145]: SASL LOGIN authentication failed: authentication failure

Jun 11 04:10:02 host postfix/smtpd[11817]: disconnect from unknown[186.179.219.145]

Jun 11 04:12:53 host postfix/smtpd[11822]: connect from 187-162-93-226.static.axtel.net[187.162.93.226]

Jun 11 04:12:54 host postfix/smtpd[11822]: warning: 187-162-93-226.static.axtel.net[187.162.93.226]: SASL LOGIN authentication failed: authentication failure

Jun 11 04:12:54 host postfix/smtpd[11822]: disconnect from 187-162-93-226.static.axtel.net[187.162.93.226]

Jun 11 04:15:42 host postfix/smtpd[11827]: warning: 191.8.183.187: hostname 191-8-183-187.user.vivozap.com.br verification failed: Name or service not known

Jun 11 04:15:42 host postfix/smtpd[11827]: connect from unknown[191.8.183.187]

Jun 11 04:15:44 host postfix/smtpd[11827]: warning: unknown[191.8.183.187]: SASL LOGIN authentication failed: authentication failure

Jun 11 04:15:45 host postfix/smtpd[11827]: disconnect from unknown[191.8.183.187]

Jun 11 04:17:13 host postfix/anvil[11813]: statistics: max cache size 1 at Jun 11 04:07:13

Jun 11 04:21:27 host postfix/smtpd[11842]: warning: 201.20.89.190: hostname 201-20-89-190.baydenet.com.br verification failed: Name or service not known

Jun 11 04:21:27 host postfix/smtpd[11842]: connect from unknown[201.20.89.190]

Jun 11 04:21:29 host postfix/smtpd[11842]: warning: unknown[201.20.89.190]: SASL LOGIN authentication failed: authentication failure


[[email protected]cd /etc/postfix/

[[email protected] postfix]# vi ipadd

#!/bin/bash

# Block maillog SASL LOGIN authentication failed IP address and  add to iptables

# written by evan.li 2017.06.13

IPTABLES=/sbin/iptables

EGREP=/bin/egrep

COUNTRY="cn"

iptables -F

iptables -X

ip_regex="[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}"

grep -r "SASL LOGIN authentication failed" /var/log/maillog > /var/log/sasl-failed.txt

find /var/log/ -name "sasl-failed.txt" -type f -print | xargs cat | egrep -o $ip_regex | sort | uniq > /var/log/ipfailed.txt

for c in $COUNTRY

do

        country_file=/var/log/ipfailed.txt

        IPS=$($EGREP -v "^#|^$" $country_file)

        for ip in $IPS

        do

           echo "blocking $ip"

           $IPTABLES -A INPUT -s $ip -j DROP

        done

done

/etc/sysconfig/customrules

/etc/rc.d/init.d/iptables save

service iptables restart

exit 0


shell脚本说明

一、先生成带用“SASL LOGIN authentication failed”关键字的文件/var/log/sasl-failed.txt

二、根据sasl-failed.txt,从中提取出垃圾IP,生成纯IP文件/var/log/ipfailed.txt

三、用脚本将纯IP文件导入进防火墙中,重起服务生效。


customrules文件为防火墙自定义规则,需事先按照你原有防火墙规则,手动编写好。

此脚本执行后,会清除原有iptables规则内容,所以事先一定要备份iptabels文件,以防万一。

以下,为我公司原有防火墙规则文件。

[[email protected] postfix]# vi /etc/sysconfig/customrules


iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports 25,47,80,82,110,143,443,1723,1935 -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports 3306,8081,8181,22110,13128,13389 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 23300:23308 -j ACCEPT

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited


添加可执行权限

[[email protected] postfix]# chmod +x /etc/sysconfig/customrules

[[email protected] postfix]# chmod +x /etc/postfix/ipadd


添加到排程任务,每1小时执行一次

[[email protected] postfix]# vi /etc/crontab

0 */1 * * * root /etc/postfix/ipadd 


http://down.51cto.com/data/2316790

ipadd脚本下载地址

 

以上Shell脚本,测试成功于2017.6.13日

本文出自 “虚拟化应用” 博客,请务必保留此出处http://liwenhn.blog.51cto.com/854522/1935009

以上是关于用Shell脚本动态分析maillog日志,把恶意IP用防火墙禁止的主要内容,如果未能解决你的问题,请参考以下文章

shell脚本自动加黑恶意攻击IP

shell脚本自动加黑恶意攻击IP

maillog修改日志保留时间

手工搭建简易的Linux恶意脚本分析系统

用shell脚本打包30天前的日志,格式:log20110901;并删除30天前的日志

shell脚本:脚本分析汇总ping日志文件