
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">Suricata does not know, who is legitim

      to access any service on your server<br>

      I recommend you to use ipset to block those attackers by filter

      most used ip's, which you can find for example with:<br>

      <br>

      #!/bin/bash<br>

      <br>

      # Daily fail2ban report<br>

      echo ""<br>

      echo "Fail2ban report for $(hostname)"<br>

      echo "================================================="<br>

      echo ""<br>

      echo "Today:"<br>

      grep "Ban " /var/log/fail2ban.log | grep $(date +%Y-%m-%d) | awk

      '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve |

      uniq -c | sort -n<br>

      echo ""<br>

      echo "Summery:"<br>

      awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort |

      uniq -c | sort -n<br>

      echo ""<br>

      echo "Subnets:"<br>

      zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk

      -F\. '{print $1"."$2"."}' | sort | uniq -c  | sort -n | tail<br>

      echo ""<br>

      <br>

      I also recommend you to use blocklist services with ipset to

      filter blacklisted ip's<br>

      <br>

      regards, Kare<br>

      <br>

      <br>

      Am 15.07.2017 um 09:04 schrieb Mesra.net CEO:<br>

    </div>

    <blockquote type="cite"

      cite="mid:7FE2E205F47747DB8871CE84141EC811@DellPC">

      <meta http-equiv="Context-Type" content="text/html; charset=UTF-8">

      <div dir="ltr">

        <div>

          <div>Dear All,</div>

          <div> </div>

          <div>I’m seriously tired monitoring the log especially to

            prevent the hackers from access all my exim mail server by

            sending trigger to specific email address to get the

            password, yes i have Fail2ban to block all the hackers IP,

            but is there anything i can do with Suricata to filter what

            kind of activity the hackers do so i can block them

            immediately before the hackers attack again and again to my

            server?</div>

          <div> </div>

          <div>Please advice. TQ  so much</div>

          <div> </div>

          <div> </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>


Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>

Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>

    </blockquote>

    <p><br>

    </p>

  </body>

</html>