Was a bit creative tonight. Created a python script to grab ip addresses from /var/log/mail.log that should not been able to connect to my mailserver.
# Generate a list of ip addresses that needs to be blocked
And you run it like:
# They are not known ip addresses. Fuck em!
# Block via NFTables
# 2021 smurfd
import re
import numpy as np
unknown_disconnect = []
ip_addresses = []
unique_ips = []
with open("/var/log/mail.log") as file:
for line in file:
if "disconnect from unknown" in line:
unknown_disconnect.append(line.strip())
for u_d in unknown_disconnect:
ip = re.findall(r'[0-9]+(?:\.[0-9]+){3}', u_d)
if ip:
ip_addresses.append(ip[0])
unique_ips = np.unique(ip_addresses)
if unique_ips.size == 0:
print("no ips to block!")
else:
for u in unique_ips:
print("sudo nft add rule ip filter IN_public_deny ip saddr", u, "counter reject")
print("sudo rc-service nftables save")
print("sudo rc-service nftables restart")
$ python3 generate_list_of_ips_to_block_from_maillog.py > fw-block.sh
Then adding it to cronjob to run daily or hourly. nice :)
$ sh ./fw-block.sh