I’m now running a mailserver, and I was trying to set up Mailman to handle a mailing list. I was having some odd behavior causing Mailman to barf up a fatal error, so I used a trailing monitor on the log file with tail -f<\/tt>.<\/p>\n
In the course of doing that, I noticed several<\/em> hosts connect attempting to deliver mail (presumably spam) to “bumttwagnerfor@domain…”, a bizarre address that definitely doesn’t exist.<\/p>\n It’s not a big deal, because the mail’s just bouncing. But it got irritating watching them all in the log file.<\/p>\n I wanted to ban them. It turns out that Linux makes this easy: there’s a hosts.deny file, and anyone in it is banned from connecting. I already have a script that watches for repeat failed login attempts on ssh and bans them. (And I have something like 200 IPs banned, although I suspect that it’s not purging them appropriately.)<\/p>\n All the log entries are in a common format, and look like this:<\/p>\n We can see (actually, guess, in my case) that the IP is the 10th ‘column’ (using a ‘space’ as a delimiter). So we can begin a rudimentary script to print out just that:<\/p>\n But there’s an obvious problem: the hostname is rammed up against the IP. I want to just ban the IP, and strip out the hostname. The correct way is to write a lengthy regular expression to match just whatever’s between the [ and ]. (Note that you can’t just write a regular expression to match IPs: the very first one has an IP in its hostname, for example, which would throw you off.)<\/p>\n The quick and easy solution is to replace the [ with a space and the ] with a space, which gives you “hostname IP “. And then you use awk again to print it:<\/p>\n grep bumttwagnerfor \/var\/log\/messages | awk '{ print $10}' | sed \"s\/[\/ \/g\" | sed \"s\/]\/ \/g\" | awk '{print $2}'<\/tt><\/p>\n This is a pretty ugly command. Just the way I like it. \ud83d\ude09<\/p>\n But we’re not quite done! The format for hosts.deny is “Service: Address.” We’re just getting addresses here. I want the output to be something like ALL: 1.2.3.4<\/tt> for each entry. (If they’re spamming me, I don’t want to allow them access to any other services.)<\/p>\n When it’s all said and done, here’s the command:<\/p>\n grep bumttwagnerfor \/var\/log\/messages | awk '{ print $10}' | sed \"s\/[\/ \/g\" | sed \"s\/]\/ \/g\" | awk '{print \"ALL\", $2}'<\/tt><\/p>\n You can just append a >> hosts.deny<\/tt> to deny them right away, or parse it through head<\/tt> or less<\/tt> to review first.<\/p>\n And viola. 440 IPs banned.<\/p>\n Seriously, though. wtf is going on? 440 different people have tried spamming this address that has definitely never existed.<\/p>","protected":false},"excerpt":{"rendered":" I’m now running a mailserver, and I was trying to set up Mailman to handle a mailing list. I was having some odd behavior causing Mailman to barf up a fatal error, so I used a trailing monitor on the … Continue reading \nOct 8 05:41:31 oxygen postfix\/smtpd[23212]: NOQUEUE: reject: RCPT from unknown[62.233.163.250]: 550 5.1.1
\n# grep bumttwagnerfor \/var\/log\/messages | awk '{ print $10}' | head<\/b>\nunknown[211.49.17.175]:\n81.202.185.36.dyn.user.ono.com[81.202.185.36]:\nhost-89-228-234-224.kalisz.mm.pl[89.228.234.224]:\nLSt-Amand-152-32-14-78.w82-127.abo.wanadoo.fr[82.127.29.78]:\n<\/pre>\n