[Oisf-users] Tired With Spammer

[Kare]

Suricata does not know, who is legitim to access any service on your server
I recommend you to use ipset to block those attackers by filter most
used ip's, which you can find for example with:

#!/bin/bash

# Daily fail2ban report
echo ""
echo "Fail2ban report for $(hostname)"
echo "================================================="
echo ""
echo "Today:"
grep "Ban " /var/log/fail2ban.log | grep $(date +%Y-%m-%d) | awk '{print
$NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort -n
echo ""
echo "Summery:"
awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq
-c | sort -n
echo ""
echo "Subnets:"
zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\.
'{print $1"."$2"."}' | sort | uniq -c  | sort -n | tail
echo ""

I also recommend you to use blocklist services with ipset to filter
blacklisted ip's

regards, Kare


Am 15.07.2017 um 09:04 schrieb Mesra.net CEO:
> Dear All,
>  
> I’m seriously tired monitoring the log especially to prevent the
> hackers from access all my exim mail server by sending trigger to
> specific email address to get the password, yes i have Fail2ban to
> block all the hackers IP, but is there anything i can do with Suricata
> to filter what kind of activity the hackers do so i can block them
> immediately before the hackers attack again and again to my server?
>  
> Please advice. TQ  so much
>  
>  
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170715/157b658e/attachment-0002.html>