Mailing List CGatePro@mail.stalker.com Message #105676
From: Martin Miller <anothersphere@gmail.com>
Subject: Re: Using AWK on unix flavour to extract log information
Date: Fri, 5 Jun 2015 22:49:14 +1200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Can I just overwrite denyhosts.data and blacklisted.data ?
i.e. do they get dynamically loaded by ccgate?

My present idea is to simply cron my awk script daily with it running over all my logs (perhaps 30 days snail trail i.e. my log retention window).
Thus organically rotating out older baddies, but adding them again if they reoccur. If I have any I want to persist I will just have a text file that gets cat'ed to the lists.

Yes I could use  fail2ban but frankly cant be bothered with yet more software to install and configure. Simple use of simple shell stuff suits me fine (if I can make it work).


On 3 June 2015 at 01:19, Juergen P. [core] <juergenp@core.at> wrote:
you can modify the file /var/CommuniGate/Settings/BlackListed.data to have the ip's included into the Blacklist.
this can be done automatically. If you are runnung a cluster you must update that file on each node.

i also use a small perl-script to check for "blacklisted" ip's by some RBL-Servers in the logs - adding those ips reduces rbl-requests.
the blacklist should be maintanied periodically. 

(i prefer the brutal method - once on the list - never removed until i'll receive a request form a customer)

kr.

Juergen


On Tue, 2 Jun 2015 14:03:55 +0100
 "David Brookfield" <david.brookfield@city-support.co.uk> wrote:
 Please ignore my last PEBCAK


 -----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of David Brookfield
 Sent: 02 June 2015 13:58
 To: CommuniGate Pro Discussions
 Subject: Re: Using AWK on unix flavour to extract log information

 Stupid question I guess, but what is AWS? I do pretty much exactly the same from a filter with  "failed to open" in it, I do this  on the day's log file, I then put that in Excel and extract the IPs, it's really quick but wondering if I'm missing a trick here.

 -----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Alexander Ryskin
 Sent: 02 June 2015 13:26
 To: CommuniGate Pro Discussions
 Subject: Re: Using AWK on unix flavour to extract log information

 awk '$4 == "failed" 
 {sub(/.*\[/,"",$3);sub(/\]./,"",$3);store[$3]=1}END{for (s in store) print s}'

 Alex

 On 06/02/2015 07:56 AM, Martin Miller wrote:
 I want to extract all Failed to entries to pull the IP so I can deny.

 Why? Its a little server and am tired of the continuous probes, and 
 there is zero chance of legitimates being caught up in the fails.

 Here is a typical log row:

 23:31:51.485 1 SMTPI-002310([202.83.25.95]) failed to open
 ACCOUNT(corp) for [202.83.25.95]:52281->[192.168.1.67]:25. Error 
 Code=account is routed to NULL

 Can anyone suggest an awk statement to parse the above to get
 202.83.25.95 Ideally using uniq to return unique list.

 --
 MJM


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to 


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to 


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
 To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
 Send administrative queries to  <CGatePro-request@mail.stalker.com>

--
Best Regards

Juergen Paulhart

VoIP / SIP / IM / E-Mail : juergenp@core.at
TEL: +43 676 30 592 44
VoIP Support:  +43 1 236 46 60 600
***  IT Security, Cloud based Communication Technologies & Hosted Unified 
Communications ***



--
MJM
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster