»Ë»Ñ Æ÷·³
·Î±×ÀΠȸ¿ø°¡ÀÔ|¾ÆÀ̵ðºñ¹øã±â
°³¹ßÀÚÆ÷·³ ÀÔ´Ï´Ù.
  • ºÏ¸¶Å© ¾ÆÀÌÄÜ

¸®´ª½º ½ºÅ©¸³Æ® Á¶¾ðÁ» ºÎŹµå¸³´Ï´Ù. ¤Ð¤Ð3

  • Bolt950
  • µî·ÏÀÏ 2018-10-16 16:27
  • Á¶È¸¼ö 763

ÀÌ·±ÂÊÀº Áªº´À̶ó

ÇöÀç ¸®´ª½º ¸ÞÀϼ­¹ö¸¦ ¿î¿µÁßÀε¥ ±²ÀåÈ÷ ¸¹Àº SMTP Á¢±Ù ½Ãµµ°¡ ÀÖ½À´Ï´Ù.


ÀÏ´Ü Æ¯ÀÌ Á¢±Ù ½Ãµµ´Â 

´ÙÀ½°ú °°Àº ¸í·É¾î·Î ¸®½ºÆ® ÃßÃâÀº Çß½À´Ï´Ù.


grep "LOGIN" /var/log/maillog |  awk '{print $7 $8}' | sort | grep SASL |  uniq -c | sort -r > /tmp/spamlist


ÀÌ·¸°Ô Çϸé 


 9226 unknown[XXX.XXX.XXX.XXX]:SASL

    913 unknown[XXX.XXX.XXX.XXX]:SASL

      7 unknown[XXX.XXX.XXX.XXX]:SASL

    772 unknown[XXX.XXX.XXX.XXX]:SASL

     69 unknown[XXX.XXX.XXX.XXX]:SASL

   6846 unknown[XXX.XXX.XXX.XXX]:SASL

   6719 unknown[XXX.XXX.XXX.XXX]:SASL

      5 unknown[XXX.XXX.XXX.XXX]:SASL

   5729 unknown[XXX.XXX.XXX.XXX]:SASL

     50 unknown[XXX.XXX.XXX.XXX]:SASL

      4 unknown[XXX.XXX.XXX.XXX]:SASL

   4777 ipXXX.ip-xxx-xxx-xxx.net[XXX.XXX.XXX.XXX]:SASL


ÀÌ·¸°Ô ÃßÃâÀº µË´Ï´Ù.  

±×·³ ¿©±â¼­ ÀÏ´Ü ÃÖ¼Ò 20¹ø ÃÊ°ú ½Ãµµ¿¡ ÇÑÇÑ ½ÃµµÀÇ ¾ÆÀÌÇǸ¸ ÃßÃâÇß½À´Ï´Ù.


while read A B

do

        if [ ${A} -gt 20 ]

        then

         echo ${B} |awk -F[ '{print $2}' |awk -F] '{print $1}' >> /tmp/blacklist

        fi

done < /tmp/spamlist


±×·³ /tmp/blacklist ¾È¿¡´Â À§¿¡ ÃßÃâµÈ ¸®½ºÆ®Áß 20ȸ ÃÊ°úÇÏ´Â ½ÃµµÀÇ ¾ÆÀÌÇǸ¸ Àû¾îÁý´Ï´Ù.

±×·³ /tmp/blacklistÀÇ ÆÄÀÏÀ» Àоîµé¿©¼­  firewall ¸í·É¾î (Centos 7)·Î 


 firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='IP' reject"


¸¸ ½ÇÇàÇÏ°í ¹æÈ­º®À» Àç½ÃÀÛ ÇÏ¸é µË´Ï´Ù.


±×·¡¼­ ÃÖÁ¾ ½ºÅ©¸³Æ®´Â

-------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
grep "LOGIN" /var/log/maillog |  awk '{print $7 $8}' | sort | grep SASL |  uniq -c | sort -r >  /tmp/spamlist

while read A B
do
        if [ ${A} -gt 20 ]
        then
         echo ${B} |awk -F[ '{print $2}' |awk -F] '{print $1}' >> /tmp/blacklist
        fi
done < /tmp/spamlist

while read C
do
       firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='${C}' reject"
done < /tmp/blacklist
firewall-cmd --reload
-------------------------------------------------------------------------------------------------------------------------

À§¿Í °°ÀÌ ÇÏ¸é ½ÇÇàÀº Àߵ˴ϴÙ.



Á¦°¡ ÇÏ°í½ÍÀº°Ç  spamlist ÆÄÀÏÀ̳ª blacklist ÆÄÀÏ µîÀÇ »ý¼ºÀ» ÃÖ¼ÒÈ­ ÇÏ°í


while do µîÀÇ Áߺ¹ »ç¿ëÀ» ÃÖ¼ÒÇÑ ÁÙÀÌ°íÀÚ ÇÕ´Ï´Ù.


Á¶¾ð ºÎŹµå¸³´Ï´Ù.

0
 ÃßõÇϱ⠴ٸ¥ÀÇ°ß 0
 |
°øÀ¯¹öÆ°

´Ù¸¥ÀÇ°ß 0 Ãßõ 0 ÈÖ¿ÍǪ·è
À§¿Í °°Àº ±â´ÉÀ¸·Î ÀÌ¹Ì fail2ban À̶ó´Â °ÍÀÌ Àִµ¥.. Çѹø ½á º¸½Ã´Â°Ç?
2018-10-16 Á¡¾ÆÀÌÄÜ
  1. ´ñ±ÛÁÖ¼Òº¹»ç

´Ù¸¥ÀÇ°ß 0 Ãßõ 0 Bolt950
Fail2banÀº ÀÌ¹Ì »ç¿ëÇÏ°í ÀÖ½À´Ï´Ù.
´Ù¸¥ ÀÌÀ¯·Î Fail2ban¿¡¼­ ÀÌ ºÎºÐ¸¸ µû·Î »©³»¼­ ±¸ÇöÇÏ·Á°í ÇÏ´ÂÁßÀÔ´Ï´Ù.
2018-10-16 Á¡¾ÆÀÌÄÜ
  1. ´ñ±ÛÁÖ¼Òº¹»ç

´Ù¸¥ÀÇ°ß 0 Ãßõ 1 Bolt950
#!/bin/bash

grep "LOGIN" /var/log/maillog | awk '{print $7 $8}' | sort | grep SASL | uniq -c | sort -r > /tmp/spamlist
while read A B
do
if [ ${A} -gt 20 ]
then
BLACK=`echo ${B} |awk -F[ '{print $2}' |awk -F] '{print $1}'`
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='$BLACK' reject"
fi
done < /tmp/spamlist
firewall-cmd --reload


±×³ª¸¶ Á¶±Ý ÁÙÀÎ°Ô À̰ǵ¥ ÆÄÀÏ»ý¼º¾øÀÌ Á» ´õ ÁÙÀÏ ¼ö ÀÖ³ª ¸ð¸£°Ú³×¿ä
2018-10-17 Á¡¾ÆÀÌÄÜ
  1. ´ñ±ÛÁÖ¼Òº¹»ç
  • ¾Ë¸² ¿å¼³, »óó ÁÙ ¼ö ÀÖ´Â ¾ÇÇÃÀº »ï°¡ÁÖ¼¼¿ä.
©¹æ »çÁø  
¡â ÀÌÀü±Û¡ä ´ÙÀ½±Û ¸ñ·Ïº¸±â
»çÀÌÆ®¼Ò°³ ¿î¿µÂü¿© °Ô½ÃÁß´Ü¿äû ÀÌ¿ë¾à°ü °³ÀÎÁ¤º¸Ã³¸®¹æħ û¼Ò³âº¸È£Á¤Ã¥ ºÒ¹ýÃÔ¿µ¹°µî ½Å°í ±¤°í/Á¦ÈÞ ¸ÞÀϹ®ÀÇ »Ë»Ñä¿ë ´ÙÅ©¸ðµå
Copyright 2005-2024 ppomppu. All rights reserved