[Mimedefang] Somewhat OT: Dictionary attacks
David F. Skoll
dfs at roaringpenguin.com
Wed Jun 9 13:10:51 EDT 2004
On Wed, 9 Jun 2004, Brett Simpson wrote:
> The script ran with one error where "Possible" was used instead of an IP
> address.
Doh. Fixed version follows.
Regards,
David.
#!/bin/sh
#
# $Id: watch-dictionary-attacks,v 1.3 2004/06/09 17:09:24 dfs Exp $
#
# Run this from cron every 5-10 minutes.
#
# Usage: watch-dictionary-attacks /var/log/maillog
#
# Copyright 2004 Roaring Penguin Software Inc.
# This program may be distributed under the terms of the GNU
# General Public License, Version 2.
#
# This script bans hosts which appear to be doing dictionary
# attacks on the server.
#
# Before running this script, make sure you create the harvest_log
# table, like this:
#
# iptables -N harvest_log
# iptables -A harvest_log -j LOG --log-prefix "FW: Harvest Abuser "
# iptables -A harvest_log -j DROP
#
# You also need an INPUT rule like this:
# iptables -A INPUT --proto tcp --dport 25 -j harvest_abusers
# Sample size
SAMPLE=3000
# Output firewall file
FWFILE=/root/harvest-abusers
# Backup firewall file
mv -f $FWFILE $FWFILE.ORIG > /dev/null 2>&1
cat <<EOF > $FWFILE
#!/bin/sh
/sbin/iptables -F harvest_abusers > /dev/null 2>&1
EOF
cat /dev/null > $FWFILE.NEW
for logfile in $* ; do
# Block offenders
tail -$SAMPLE $logfile | fgrep 'Possible SMTP RCPT flood, throttling.' | awk '{if ($8 == "Possible") { print $7; } else { print $8; } }' | tr -d ':[]' | sort | uniq | while read host ; do
fgrep $host $FWFILE.ORIG > /dev/null 2>&1 || echo "`date`: Host $host marked as abusive (directory harvest) in $logfile"
echo "/sbin/iptables -A harvest_abusers --source $host -j harvest_log" >> $FWFILE.NEW
echo "" >> $FWFILE.NEW
done
done
cat $FWFILE.NEW >> $FWFILE
. $FWFILE
More information about the MIMEDefang
mailing list