spamassassin question [with blacklist question]

Brian Densmore DensmoreB at ctbsonline.com
Mon Oct 25 17:04:21 CDT 2004 

I happen to like apache 1.3 and see no problems with the 2.4 kernel.
The SA version in stable is 2.2 so it's quite out of date. Then there
is exim using version 3.36. The thing I like about stable is that 
the security patches happen first in stable. Having been hacked once,
I tend to be a bit more conservative these days (*and by the way, I've
also been seeing a lot of those scripted hack attacks). At least where my
"production" software is concerned. At home I run testing/unstable.
Not sure how I accomplished that, but there it is.

* I've added some code to my firewall rules to read in my personal 
blacklisted ipaddresses from a file and make drop rules out of it.

Now I need to write a little script to put in cron to scan my logs
once a day and extract ip-addresses that are attempting to login
and add them to the blacklist and restart the firewall.

something like:

MYADDR=xxx.xxx.xxx.xxx
BLACKLIST=/etc/blacklist.txt
FWSCRIPT=/etc/init.d/firewall.sh

cat /var/log/auth.log |grep -i failed\ password | cut -d\ -f11 |uniq > nuiq.txt
if [ -e nuiq.txt ]
  then 
    while read ipaddr
    do
      if [ $ipaddr ne $MYADDR ] ; then
        echo $ipaddr >> $BLACKLIST
      fi
   done < nuiq.txt
   $FWSCRIPT restart
fi

My only problem here is sometimes I need to use 'cut -d\ -f11' and sometimes
'cut -d\ f12'. Sometimes I have to do both in the same file. So I guess it's time
to pull out the sed pocket reference I have and learn something in there to help.
It's because of the way the date is being posted to the log file:
Oct  9 ...
Oct 10 ...
So I get one extra delimiter when the date has one digit. I'd also like to be able to
skip the saving of the list to a file step. Alas my script skill are insufficient for the
task. Also I might soon need to use a case or some other control method to ignore
perhaps a half a dozen ipaddresses or even a range of ipaddresses for other users of the system.


Brian

> -----Original Message-----
> From: Jeremy Turner
> 
> I said the heck with it and pinned my server on sarge.  It'll 
> be the new
> stable soon enough.  I can't stand SA 2.4 or whatever is in 
> stable, same
> with 2.4 kernel, Apache 1.3, etc.
> 
> Jeremy
> 
> -- 
> Jeremy Turner <jeremy at linuxwebguy.com>
> Linux Tips and News! ---> http://linuxwebguy.com
> 
>

More information about the Kclug mailing list