1.背景
由于某些原因未成功申請到企業郵箱的smtp,pop3的SSL證書協定,導緻QQ、163郵箱無法通過SSL通信協定進行互相收發郵件
近日企業内部使用者經常回報收到垃圾郵件、郵件發不出去,尴尬了。
一查伺服器日志,發現大量的攻擊行為。。。。
2019/12/04-11:42:41 6856 Connect from 185.234.219.81
2019/12/04-11:42:41 6856 remote ehlo = XXXXX.com
2019/12/04-11:42:41 6856 max msg size = 0
2019/12/04-11:42:43 6856 smtp authenticate fail! Username = [email protected]
以上是典型的賬戶驗證操作,大量的賬戶會話錯誤,占用端口對伺服器資源造成非常大的浪費,影響正常業務的展開。
2.企業郵箱
服務程式更新可以解決這樣的漏洞,但需要支付費用,在沒有預算的條件下,隻有自己動手 了。
經過檔案的對比确認,最終确定service.cfg檔案可以将攻擊ip添加至黑名單。
但是每天去查日志,手工添加,我表示太累了。。人生苦短,我用Python,來吧兄弟,上代碼:
半天的時間就調試完成了。上代碼:
-----------------------------------------------------
import re
import time
import datetime
count = 0 # 初始的檔案指針設定為0
def readlog(logfiles, **kwargs):
final_black_list = [] # 超過一定錯誤日志數量的問題ip最終轉化為黑名單
for per in logfiles:
count = 0
with open(per, mode="r") as fr: ##, encoding="utf-8"
log_list = [] # 每次循環時把清單清空,因為是按1分鐘進行統計的
bad_iplist = [] # 有問題的ip位址
connect_ip_list = []
fr.seek(count) # 根據檔案指針進行檔案内容讀取
for line in fr: # 循環拿每一行内容
log_list.append(line.split("\n")[0]) # 取每一行的資料
if line.find("Connect from") > 0:
connect_ip_list.append(line.split("\n")[0])
else:
pass
count = fr.tell() # 讀完之後更新檔案的指針
for row in range(1, len(log_list), 1): # 循環讀取集合中的錯誤行内容,比對smtp authenticate fail,傳回回話id,
try:
thist_line = str(log_list[row])
get_auth_sessionid = re.findall('[ ]+(.+?)[ ]+smtp authenticate fail', thist_line) # 識别黑客猜smtp密碼
get_guessacc_sessionid = re.findall('[ ]+(.+?)[ ]+mailbox not found', thist_line) # 識别黑客猜郵箱賬戶名稱
get_ddos_sessionid = re.findall('[ ]+(.+?)[ ]+This IP frequency too high', thist_line) # 識别DDos攻擊
# 應對辦法隻有添加至防火牆黑名單清單,本程式不做開發
get_command_sessionid = re.findall('[ ]+(.+?)[ ]+unrecognized command', thist_line) # 識别黑客嘗試協定注入
get_guesspsw_sessionid = re.findall('[ ]+(.+?)[ ]+password error', thist_line) # 識别猜指定存在賬戶密碼
totalsessionidlist = get_auth_sessionid+get_guessacc_sessionid+get_ddos_sessionid+get_command_sessionid+get_guesspsw_sessionid
totalsessionid = ""
totalsessionid = "".join(totalsessionidlist)
#print(totalsessionid)
if len(totalsessionid) != 0:
Regexstr = r'%s+[ Connect from ]+(.+?)ASA'%(totalsessionid)
allconnect_ip_list = "ASA".join(connect_ip_list)
ip = re.findall(Regexstr, allconnect_ip_list, re.S)
# 2019/11/26-00:03:32 14404 Connect from 78.128.113.123
bad_iplist.append(ip[0])
else:
pass
except IndexError as e:
continue
for eachip in bad_iplist: # 統計當日badip出現次數
if bad_iplist.count(eachip) > 10:
final_black_list.append(eachip)
# print("把ip為%s的加入到黑名單" % eachip)
else:
pass
fr.close() # 最後關閉檔案句柄
return list(set(final_black_list))
def write_cfg(bad_iplist, cfgfile):
alllines = []
f = open(cfgfile, mode="r")
alllines = f.readlines()
newtxt = ""
for i in range(0, len(alllines), 1):
newtxt = newtxt + alllines[i]
f.close()
accessip_lines = []
exist_bad_iplist = []
for row in range(0, len(alllines), 1):
thislinestr = ""
thislinestr = alllines[row]
if thislinestr.find("accessip") > 0:
accessip_lines.append(row)
ip = re.findall(r'(?<![\.\d])(?:\d{1,3}\.){3}\d{1,3}(?![\.\d])', str(newtxt), re.S)
exist_bad_iplist = exist_bad_iplist + ip
else:
pass
addlist = set(exist_bad_iplist + bad_iplist)
write_str = "<accessip>" + ";".join(addlist) + "</accessip>"
open(cfgfile, mode='w').write(re.sub(r'<accessip>(.+?)</accessip>', write_str, str(newtxt)))
return "完成一次重新整理政策!"
def weekly_clear_config(cfgfile):
f = open(cfgfile, mode="r")
alllines = f.readlines()
newtxt = ""
for i in range(0, len(alllines), 1):
newtxt = newtxt + alllines[i]
f.close()
write_str = "<accessip>255.255.255.255</accessip>"
write_str2 = "<control>1</control>"
open(cfgfile, mode='w').write(re.sub(r'<accessip>(.+?)</accessip>', write_str, str(newtxt)))
open(cfgfile, mode='w').write(re.sub(r'<control>(.+?)</control>', write_str2, str(newtxt)))
if __name__ == '__main__':
logfiles = ["smtp.log","smtpssl.log","pop3.log","pop3ssl.log"]
cfgfile = 'C:\\CProgram Files XXXXXXailserver\\service.cfg'
while True:
today = datetime.date.today()
weekday = today.isoweekday()
nowtime = time.strftime('%H:%M', time.localtime(time.time()))
if weekday ==1 and (nowtime=="08:01" or nowtime=="08:02" or nowtime=="08:03" or nowtime=="08:04"):
#每周指定時間段将規則清空!苦海無邊,回頭是岸!~~
weekly_clear_config(cfgfile)
else:
final_black_list = readlog(logfiles)
print("今日最新黑名單清單" + str(set(final_black_list)))
status = write_cfg(final_black_list, cfgfile)
time.sleep(10)
continue
-------------------------------------------------------
3.結語
僅100來行代碼實作了4個檔案的循環讀取,識别5種黑客攻擊的痕迹,并将嘗試次數超過10次的問題IP記錄至service.cfg檔案中對應位置。至此完成了企業郵箱自動識别攻擊行為并将阻止問題ip的通路。為了防止Ip的數量越來越大(網際網路的黑客太多了),給一個視窗清空設定,還使用者一個改過自新的機會。呵呵~~~
以上代碼實戰測試過,有相同問題的網友可以評論回複喲。
對了,郵件伺服器上沒有python,可以直接打包exe運作。
pyinstaller.exe -F C:\Users\Administrator\PycharmProjects\untitled3\AThack-mail\readlog_at_hack.py
........................................
13849 INFO: Building EXE because EXE-00.toc is non existent
13849 INFO: Building EXE from EXE-00.toc
13849 INFO: Appending archive to EXE C:\Users\Administrator\PycharmProjects\untitled3\dist\readlog_at_hack.exe
13875 INFO: Building EXE from EXE-00.toc completed successfully.
至此程式已經生成,我們把程式移動到伺服器運作。。下面是執行效果
![puppet基礎學習(二)puppet基礎學習(二)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)