From d22b81512729aab0b0e1c17803a4aa1837ba38bf Mon Sep 17 00:00:00 2001 From: root Date: Sun, 12 Apr 2015 15:10:34 +0200 Subject: [PATCH] rbl: several updates: - update fail2ban chains - generate test entry - catch spam trap mails resp. IP addresses --- rbl_generate.sh | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/rbl_generate.sh b/rbl_generate.sh index 31a5be1..6875dd1 100755 --- a/rbl_generate.sh +++ b/rbl_generate.sh @@ -20,8 +20,8 @@ fail2ban_chains=( fail2ban-dovecot fail2ban-sasl fail2ban-ssh +fail2ban-ssh-ddos fail2ban-tumgreyspf -fail2ban-turbine fail2ban-apache-digest ) ban_ip=() @@ -33,10 +33,18 @@ $(for chain in ${fail2ban_chains[@]}; do done | sort | uniq) ) +# Get SPAM mails sent to specific address +spamtrap=( +$(grep ' -> ' /var/log/mail.log | awk -F'[][]' '{print $6}') +) if [ ! -s $rblfile ]; then cat << HEREDOC > $rblfile # Automatically generated at $(date) by $0 + +# Test entry http://www.ietf.org/rfc/rfc5782.txt +127.0.0.2 RFC 5782 test entry # 0 # Test entry RFC 5782 + :127.0.0.2:$ is listed because of misbehaviour. See http://lugh.ch/dnsbl.html for details # Whitelist $(printf "!%s # 0\n" "${static_white[@]}") @@ -48,25 +56,31 @@ $(printf "%s # 0 # Infinite listing (UCEPROTECT)\n" "${static_black[@]}") HEREDOC fi +# fail2ban for ip in ${iptables_banned[@]}; do if [[ $(grep -c $ip $rblfile) -lt 1 ]]; then # Add IP geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'}) - printf "%s # $(date +%s) # Service login attempts/SPAM/misconfiguration # %s\n" "$ip" "$geoip" >> $rblfile + printf "%s # $(date +%s) # Service login attempts/misconfiguration # %s\n" "$ip" "$geoip" >> $rblfile + fi +done + +# SPAM +for ip in ${spamtrap[@]}; do + if [[ $(grep -c $ip $rblfile) -lt 1 ]]; then + # Add IP + geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'}) + printf "%s # $(date +%s) # SPAM mail to trap address # %s\n" "$ip" "$geoip" >> $rblfile fi done # Generate user friendly web-viewable list -echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/list.txt -cat $rblfile | grep -v -i uceprotect | grep '^[1-9]' | sed 's/ # /\t/g' >> /var/www/virtsrv/lugh.ch/list.txt +echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/list.txt +echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/list.txt +cat $rblfile | grep -v -i uceprotect | grep '^[1-9]' | grep -v '^127.0.0.2' | sed 's/ # /\t/g' >> /var/www/virtsrv/lugh.ch/list.txt for timestamp in $(grep '^[0-9]' /var/www/virtsrv/lugh.ch/list.txt | awk {'print $2'}); do newtime=$(date -d @$(echo $timestamp)) sed -i "s/$timestamp/$newtime/" /var/www/virtsrv/lugh.ch/list.txt done - -#for location in $(awk {'print $1'} /var/www/virtsrv/lugh.ch/list.txt | grep -v ^IP); do -# geoip=$(geoiplookup $location | sed 's/.*Edition: //') -# sed -i "s/\(^$location.*\)/\1\t$geoip/" /var/www/virtsrv/lugh.ch/list.txt -#done