码迷,mamicode.com
首页 > 其他好文 > 详细

动态分析maillog日志,把恶意链接直接用防火墙禁止

时间:2014-08-20 14:13:35      阅读:360      评论:0      收藏:0      [点我收藏+]

标签:blog   os   io   文件   数据   ar   2014   代码   

            最近用 postfix + dovecot 搭建了一个邮件服务器, 被人当做垃圾邮件转发器,经过配置postfix 的黑白名单, postfix 提示成功的 REJECT 了垃圾邮件, 不过还是有无数的IP地址, 连接过来要进行发送邮件, 虽然垃圾邮件被拒绝了,但是未知连接太多,造成 maillog 日志越变越大, 拖慢 postfix 的运行速度,  总得想个办法解决。要是能把这些无用的IP地址直接用防火墙拒绝就好了。 思路有了,我们就着手处理吧。


这些垃圾IP地址全部是

  • 本站主数据:台湾省 中华电信股份有限公司
  • 参考数据一:台湾

tail    -f    /var/log/maillog   查看日志如下所示:

这日志还是很有规律的, 是不是 ?


Aug 20 12:11:40 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <ykrt@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vpjcmwqinpnpg@anet.net.tw> to=<ykrt@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:41 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <yanghabi@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vpjcmwqinpnpg@anet.net.tw> to=<yanghabi@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:41 www postfix/smtpd[18026]: NOQUEUE: reject: RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]: 554 5.7.1 <dygui@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vqjpdghrcnaf@163.com> to=<dygui@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:42 www postfix/smtpd[18023]: NOQUEUE: reject: RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112]: 554 5.1.8 <ekiczlqpkuezc@yahoo.com.jp>: Sender address rejected: Domain not found; from=<ekiczlqpkuezc@yahoo.com.jp> to=<fet77111@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:43 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <zen19762001@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vpjcmwqinpnpg@anet.net.tw> to=<zen19762001@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:43 www postfix/smtpd[18026]: NOQUEUE: reject: RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]: 554 5.7.1 <to1477889900@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vqjpdghrcnaf@163.com> to=<to1477889900@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:44 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <x19781024@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vpjcmwqinpnpg@anet.net.tw> to=<x19781024@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:44 www postfix/smtpd[18023]: NOQUEUE: reject: RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112]: 554 5.1.8 <ekiczlqpkuezc@yahoo.com.jp>: Sender address rejected: Domain not found; from=<ekiczlqpkuezc@yahoo.com.jp> to=<jay791028@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:45 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <juliessy@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vpjcmwqinpnpg@anet.net.tw> to=<juliessy@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:45 www postfix/smtpd[18026]: too many errors after RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]
Aug 20 12:11:45 www postfix/smtpd[18026]: disconnect from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]
Aug 20 12:11:46 www postfix/smtpd[18023]: too many errors after RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112]
Aug 20 12:11:46 www postfix/smtpd[18023]: disconnect from 114-45-29-112.dynamic.hinet.net[114.45.29.112]
Aug 20 12:11:47 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <xsip@yahoo.com.tw>: Recipient address rejected: Access denied; from=<vpjcmwqinpnpg@anet.net.tw> to=<xsip@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:11:49 www postfix/smtpd[18033]: too many errors after RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]
Aug 20 12:11:49 www postfix/smtpd[18033]: disconnect from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]
Aug 20 12:14:10 www postfix/smtpd[18097]: connect from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82]
Aug 20 12:14:11 www postfix/smtpd[18097]: NOQUEUE: reject: RCPT from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82]: 554 5.7.1 <rzxijhkiefau@yahoo.com.tw>: Sender address rejected: Access denied; from=<rzxijhkiefau@yahoo.com.tw> to=<ina12350@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>
Aug 20 12:14:11 www postfix/smtpd[18097]: NOQUEUE: reject: RCPT from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82]: 554 5.7.1 <rzxijhkiefau@yahoo.com.tw>: Sender address rejected: Access denied; from=<rzxijhkiefau@yahoo.com.tw> to=<ilovemyself414@yahoo.com.tw> proto=SMTP helo=<115.28.81.191>

我们可以动态分析日志, 把  
too many errors after RCPT from
后面的IP地址获取, 动态加入到防火墙进行拒绝就行。

思路有了, 我就写个小程序来分析日志吧,我写的是C的,  不过用perl 或者 shell 脚本可能更简单。

反正用自己最熟悉的语言就行。 


dyn.c 源代码文件的内容如下 :

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#define BUF_LEN   4096
#define DATA_LEN  4096*10

int  main (int argc, char** argv)
{
	//too many errors after RCPT from 36-224-128-99.dynamic-ip.hinet.net[36.224.128.99]
	//too many errors after RCPT from 118-169-22-28.dynamic.hinet.net[118.169.22.28]
    char buf[BUF_LEN] = {0};
	const char* sep = "too many errors after RCPT from";
	
	while (1)
	{
		memset (buf, 0, sizeof(buf));
		char* tp = fgets (buf, sizeof(buf)-1, stdin);
		if (tp != NULL)
		{
			char* p = strstr(buf, sep);
			if (p != NULL)
			{
				char* p1 = p + strlen(sep);
				while (*p1 != ‘\0‘ && *p1 != ‘.‘)
				{
					p1++;
				}
				*p1 = ‘\0‘;

				*(p-1) = ‘\0‘;
				int x1, x2, x3, x4;
				int ret = sscanf(p, "too many errors after RCPT from %d-%d-%d-%d", &x1, &x2, &x3, &x4);
				//printf ("Get IP = %d.%d.%d.%d\n", x1,x2,x3,x4);
				if (ret == 4)
				{
				    char ebuf[512] = {0};
					snprintf(ebuf, sizeof(ebuf)-1, "iptables -I INPUT -s %d.%d.%d.%d -j DROP", x1,x2,x3,x4);
					system (ebuf);
					printf ("%s\n", ebuf);
				}
			}
		}
	}
	
	return 0;
}



用  gcc   -g -o dyn  dyn.c    , 编译后生成了可执行文件   dyn

我的dyn可执行文件在  /root 目录, 所以用 命令:

nohup   tail  -f   /var/log/maillog  |  /root/dyn  &

让它自己跑吧。

过一段时间后, 我们再看maillog日志,  已经基本没有 不认识的IP地址再连接过来打算发邮件了。




动态分析maillog日志,把恶意链接直接用防火墙禁止,布布扣,bubuko.com

动态分析maillog日志,把恶意链接直接用防火墙禁止

标签:blog   os   io   文件   数据   ar   2014   代码   

原文地址:http://blog.csdn.net/langeldep/article/details/38704291

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!