Mailing List CGatePro@mail.stalker.com Message #105678
From: Martin Miller <anothersphere@gmail.com>
Subject: Re: Using AWK on unix flavour to extract log information
Date: Tue, 9 Jun 2015 13:20:44 +1200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
I am not looking to hit the temporary blacklist, I am planning to hit the permanent blacklisted and denied.
I want to overwrite them all with a daily moving sum of all IP that meet my criteria from the logs I retain.
My server is not a big user thing its SOHO.
What would be good if I can blat the IP files and then use the CLI to force them to reload, perhaps by side effect of adding another item.

On 6 June 2015 at 01:42, Jeff Wark <jwark@tbaytel.net> wrote:
Without testing, I'm going to say that you *cannot* overwrite either of those files and have them work without restarting CommuniGate.

You can use the CLI.pm module to update them through the PWD interface.  Check out http://www.stalker.com/CGPerl/ for some examples, specifically:

TempBlacklistIP(IP, timeout)
Example:
$cli->TempBlacklistIP("111.111.1.1",0);

GetTempBlacklistedIPs

SetTempBlacklistedIPs(IPs)
Example:
  my $data=$cli->GetTempBlacklistedIPs(); 
  if($cli->isSuccess) {
    $data .="\\e11.22.33.44\\e22.33.44.55";
    $cli->SetTempBlacklistedIPs($data);
  } else {
    die "Error: ".$cli->getErrMessage.", quitting";
  }


--

Jeff Wark
Tbaytel Internet
On Fri, 5 Jun 2015 22:49:14 +1200
 Martin Miller <anothersphere@gmail.com> wrote:
>> Can I just overwrite denyhosts.data and blacklisted.data ?
>> i.e. do they get dynamically loaded by ccgate?
>>
>> My present idea is to simply cron my awk script daily with it running over
>> all my logs (perhaps 30 days snail trail i.e. my log retention window).
>> Thus organically rotating out older baddies, but adding them again if they
>> reoccur. If I have any I want to persist I will just have a text file that
>> gets cat'ed to the lists.
>>
>> Yes I could use  fail2ban but frankly cant be bothered with yet more
>> software to install and configure. Simple use of simple shell stuff suits
>> me fine (if I can make it work).
>>
>>
>> On 3 June 2015 at 01:19, Juergen P. [core] <juergenp@core.at> wrote:
>>
>>>  you can modify the file /var/CommuniGate/Settings/BlackListed.data to
>>> have the ip's included into the Blacklist.
>>> this can be done automatically. If you are runnung a cluster you must
>>> update that file on each node.
>>>
>>> i also use a small perl-script to check for "blacklisted" ip's by some
>>> RBL-Servers in the logs - adding those ips reduces rbl-requests.
>>> the blacklist should be maintanied periodically.
>>>
>>> (i prefer the brutal method - once on the list - never removed until i'll
>>> receive a request form a customer)
>>>
>>> kr.
>>>
>>> Juergen
>>>
>>>
>>> On Tue, 2 Jun 2015 14:03:55 +0100
>>>  "David Brookfield" <david.brookfield@city-support.co.uk> wrote:
>>>
>>> * Please ignore my last PEBCAK*
>>>
>>>
>>>
>>> * -----Original Message-----*
>>> *From: CommuniGate Pro Discussions [*mailto:CGatePro@mail.stalker.com
>>> <CGatePro@mail.stalker.com>*] On Behalf Of David Brookfield*
>>> * Sent: 02 June 2015 13:58*
>>> * To: CommuniGate Pro Discussions*
>>> * Subject: Re: Using AWK on unix flavour to extract log information*
>>>
>>>
>>> * Stupid question I guess, but what is AWS? I do pretty much exactly the
>>> same from a filter with  "failed to open" in it, I do this  on the day's
>>> log file, I then put that in Excel and extract the IPs, it's really quick
>>> but wondering if I'm missing a trick here.*
>>>
>>>
>>> * -----Original Message-----*
>>> *From: CommuniGate Pro Discussions [*mailto:CGatePro@mail.stalker.com
>>> <CGatePro@mail.stalker.com>*] On Behalf Of Alexander Ryskin*
>>> * Sent: 02 June 2015 13:26*
>>> * To: CommuniGate Pro Discussions*
>>> * Subject: Re: Using AWK on unix flavour to extract log information*
>>>
>>>
>>> * awk '$4 == "failed" *
>>> * {sub(/.*\[/,"",$3);sub(/\]./,"",$3);store[$3]=1}END{for (s in store)
>>> print s}'*
>>>
>>>
>>> * Alex*
>>>
>>>
>>> * On 06/02/2015 07:56 AM, Martin Miller wrote:*
>>>
>>>  I want to extract all Failed to entries to pull the IP so I can deny.
>>>
>>>
>>>  Why? Its a little server and am tired of the continuous probes, and
>>>  there is zero chance of legitimates being caught up in the fails.
>>>
>>>
>>>  Here is a typical log row:
>>>
>>>
>>>  23:31:51.485 1 SMTPI-002310([202.83.25.95]) failed to open
>>>  ACCOUNT(corp) for [202.83.25.95]:52281->[192.168.1.67]:25. Error
>>>  Code=account is routed to NULL
>>>
>>>
>>>  Can anyone suggest an awk statement to parse the above to get
>>>  202.83.25.95 Ideally using uniq to return unique list.
>>>
>>>
>>>  --
>>>  MJM
>>>
>>>
>>>
>>> * #############################################################*
>>> * This message is sent to you because you are subscribed to*
>>> *  the mailing list <*CGatePro@mail.stalker.com*>.*
>>> * To unsubscribe, E-mail to: <*CGatePro-off@mail.stalker.com*> To switch
>>> to the DIGEST mode, E-mail to <*CGatePro-digest@mail.stalker.com*>*
>>> * To switch to the INDEX mode, E-mail to <*CGatePro-index@mail.stalker.com*>
>>> Send administrative queries to *
>>> * <*CGatePro-request@mail.stalker.com*>*
>>>
>>>
>>>
>>> * #############################################################*
>>> * This message is sent to you because you are subscribed to*
>>> *  the mailing list <*CGatePro@mail.stalker.com*>.*
>>> * To unsubscribe, E-mail to: <*CGatePro-off@mail.stalker.com*> To switch
>>> to the DIGEST mode, E-mail to <*CGatePro-digest@mail.stalker.com*>*
>>> * To switch to the INDEX mode, E-mail to <*CGatePro-index@mail.stalker.com*>
>>> Send administrative queries to *
>>> * <*CGatePro-request@mail.stalker.com*>*
>>>
>>>
>>>
>>> * #############################################################*
>>> * This message is sent to you because you are subscribed to*
>>> *  the mailing list <*CGatePro@mail.stalker.com*>.*
>>> * To unsubscribe, E-mail to: <*CGatePro-off@mail.stalker.com*>*
>>> * To switch to the DIGEST mode, E-mail to <*
>>> CGatePro-digest@mail.stalker.com*>*
>>> * To switch to the INDEX mode, E-mail to <*CGatePro-index@mail.stalker.com
>>> *>*
>>> * Send administrative queries to  <*CGatePro-request@mail.stalker.com*>*
>>>
>>>
>>> --
>>> Best Regards
>>>
>>> Juergen Paulhart
>>>
>>> VoIP / SIP / IM / E-Mail : juergenp@core.at
>>> TEL: +43 676 30 592 44
>>> VoIP Support:  +43 1 236 46 60 600
>>> https://www.core.at
>>> ***  IT Security, Cloud based Communication Technologies & Hosted Unified
>>> Communications ***
>>>
>>
>>
>>
>> --
>> MJM

#############################################################

This message is sent to you because you are subscribed to

  the mailing list <CGatePro@mail.stalker.com>.

To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>

To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>

To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>

Send administrative queries to  <CGatePro-request@mail.stalker.com>




--
MJM
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster