I am weary of dictionary attacks against my qmail and I'm willing to ban IP addresses of the zombies trying to send to neaten my logs.
I use the CHKUSER patch to block unknown recipients, so in "/var/log/qmail/smtp/current" I have log entries that look like this:
Clearly that's a very parsable string and I can ban the sending IP. Problem is that the message is part of a continuous log of these pricks and I can't just process a file. I need to grab these entries as they arrive and have them set aside for handling.
What I really want to do is stuff every one of these IPs into a MySQL database and when the number of hits from an IP to an unknown recipient on my end reaches a threashold, then I want to ban them by an entry into /etc/tcp.smtp
Anybody done anything similar? I looked at "logwatch" and it wasn't immediately obvious if it could handle this.
D.E.R. Management - IT Project Management Consulting
I use the CHKUSER patch to block unknown recipients, so in "/var/log/qmail/smtp/current" I have log entries that look like this:
Code:
CHKUSER rejected rcpt: from <toonah@email.msn.com::> remote <84-120-133-100.onocable.ono.com:unknown:84.120.133.100> rcpt <nevagju@mydomain.tld> : not existing recipientClearly that's a very parsable string and I can ban the sending IP. Problem is that the message is part of a continuous log of these pricks and I can't just process a file. I need to grab these entries as they arrive and have them set aside for handling.
What I really want to do is stuff every one of these IPs into a MySQL database and when the number of hits from an IP to an unknown recipient on my end reaches a threashold, then I want to ban them by an entry into /etc/tcp.smtp
Anybody done anything similar? I looked at "logwatch" and it wasn't immediately obvious if it could handle this.
D.E.R. Management - IT Project Management Consulting