Mailing List CGatePro@mail.stalker.com Message #105671
From: David Leeming <david@leeming.org>
Subject: Re: Using AWK on unix flavour to extract log information
Date: Tue, 2 Jun 2015 14:37:35 +0100
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.2070.6)
I mentioned this before, but didn’t have the file to hand

Try installing fail2ban (Most linux distributions have it in their repos, or http://www.fail2ban.org/wiki/index.php/Main_Page )

Then create a communigate jail - this one is super simple and could be expanded upon, the second line is what I was trying to ban

You could get rid of everything after the last .* if you wanted to ban everything - I note the OPs error code was different to the one I was trying to stop.

I give them 3 attempts before banning.  I like this method as there is no intervention on my part, and it is blocked at the firewall level so they won’t even get to your CGP process.

% cat communigate.conf

# Communigate filter for fail2ban David Leeming 2015
# 00:05:47.071 1 SMTPI-000796([64.76.125.86]) failed to open ACCOUNT(username) for [64.76.125.86]:3311->[188.226.169.47]:25. Error Code=unknown user account

[INCLUDES]

before = common.conf

[Definition]

failregex = SMTPI-([0-9]*)\(\[<HOST>\]\) failed to open ACCOUNT\(.*\) for .* Error Code=unknown user account

ignoreregex = 



On 2 Jun 2015, at 14:19, Juergen P. [core] <juergenp@core.at> wrote:

you can modify the file /var/CommuniGate/Settings/BlackListed.data to have the ip's included into the Blacklist.
this can be done automatically. If you are runnung a cluster you must update that file on each node.

i also use a small perl-script to check for "blacklisted" ip's by some RBL-Servers in the logs - adding those ips reduces rbl-requests.
the blacklist should be maintanied periodically. 

(i prefer the brutal method - once on the list - never removed until i'll receive a request form a customer)

kr.

Juergen


On Tue, 2 Jun 2015 14:03:55 +0100
 "David Brookfield" <david.brookfield@city-support.co.uk> wrote:
 Please ignore my last PEBCAK


 -----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of David Brookfield
 Sent: 02 June 2015 13:58
 To: CommuniGate Pro Discussions
 Subject: Re: Using AWK on unix flavour to extract log information

 Stupid question I guess, but what is AWS? I do pretty much exactly the same from a filter with  "failed to open" in it, I do this  on the day's log file, I then put that in Excel and extract the IPs, it's really quick but wondering if I'm missing a trick here.

 -----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Alexander Ryskin
 Sent: 02 June 2015 13:26
 To: CommuniGate Pro Discussions
 Subject: Re: Using AWK on unix flavour to extract log information

 awk '$4 == "failed" 
 {sub(/.*\[/,"",$3);sub(/\]./,"",$3);store[$3]=1}END{for (s in store) print s}'

 Alex

 On 06/02/2015 07:56 AM, Martin Miller wrote:
 I want to extract all Failed to entries to pull the IP so I can deny.

 Why? Its a little server and am tired of the continuous probes, and 
 there is zero chance of legitimates being caught up in the fails.

 Here is a typical log row:

 23:31:51.485 1 SMTPI-002310([202.83.25.95]) failed to open
 ACCOUNT(corp) for [202.83.25.95]:52281->[192.168.1.67]:25. Error 
 Code=account is routed to NULL

 Can anyone suggest an awk statement to parse the above to get
 202.83.25.95 Ideally using uniq to return unique list.

 --
 MJM


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to 


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to 


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
 To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
 Send administrative queries to  <CGatePro-request@mail.stalker.com>

--
Best Regards

Juergen Paulhart

VoIP / SIP / IM / E-Mail : juergenp@core.at
TEL: +43 676 30 592 44
VoIP Support:  +43 1 236 46 60 600
***  IT Security, Cloud based Communication Technologies & Hosted Unified 
Communications ***

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster