The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Script Help. for each IP Address between characters [ and ] in /var/log/exim_mainlog;

Discussion in 'General Discussion' started by nat, Mar 27, 2005.

  1. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    I'm getting aobut 10 of these per second all from many different IPs. Causing a higher than normal load.


    I would like to automaticly block these IPs.

    /var/log/exim_mainlog sample:
    2005-03-26 23:27:44 H=(my.ip.is.here) [evil.spammers.ip.here] F=<ghucgubsy@msn.com> rejected RCPT <webmaster@stupiddomain-that-has-been-cancelled.com>: (my.ip.is.here) [evil.spammers.ip.here] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.



    This nastly looking command gets all IP's between [ and ] in a log file and then tries to block those IPs using apf. The apf part isn't working.

    tail -n500 -f /var/log/exim_mainlog | grep --line-buffered "stupiddomain-that-has-been-cancelled.com" | grep --line-buffered -P "\[\d+\.\d+\.\d+\.\d+\]" -o | grep --line-buffered -P "\d+\.\d+\.\d+\.\d+" -o > apf -d



    Can any code master whip out a ?simple? bash script for me to help block these IPs?

    1. Script runs continously in background
    2. Gets the remote IP address (between the [ and ]) for lines that contain "stupiddomain-that-has-been-cancelled.com" in /var/log/exim_mainlog
    3. Blocks IP using apf -d



    for each line in /var/log/exim_mainlog that contains "stupiddomain-that-has-been-cancelled.com"

    ipaddress = IP Address between characters [ and ]

    apf -d $ipaddress
     
  2. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
  3. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    That is already installed.
     
  4. gotaweb

    gotaweb Member

    Joined:
    Dec 3, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    BFD will automatically have APF block these IPs if you have it installed.
     
  5. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    apf, bfd, prm, sim, dictionary attack are all installed. nothing is blocking this.

    apf is working as I blocked my own IP to test.

    bfd sends an e-mail about once a week so its working

    dictionary attack is working as some legitimate people get blocked in /etc/exim_deny every now an then.
     
Loading...

Share This Page