Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Ah, yes, I should have been more careful with my numbers. And language. Hundreds of thousands of IPs have been banned but not by that script and thus not in that output; they were banned by another script that (guess what) hit ARIN and blocked the entire netblock. I don't want to do this too hastily (in other words, I don't wnat to do this automatically) so the automatic script is doing /32's. Since there is some interest in passing from someone (even if that interest is just stimulating a clarification), here's code (whee!).

    This tallies how many people, and how much of the 'net, I've firewalled:
    #!/usr/bin/perl use bigint; my $count = 0; while(my $ip = ) { chomp $ip; my $mask; ($ip, $mask) = $ip =~ m{block in quick from ([0-9.]+)/([0-9]+) to any}; next unless $ip and $mask; my $numhosts = 1
    Wasn't that fun? Okay, the hits on RIPE are regexes against HTML so I'll not post that thank me very much to avoid corrupting the young. And here's the thing that runs from cron and looks at postfix's log:
    #!/usr/bin/perl use IO::Handle; use POSIX; # process all bans for the recently passed out (10 minutes ago) my $timestamp = strftime "%b %e %H:", localtime(time() - 600); # eg, "Oct 7 02:" my $recv; my $count = 0; open my $spam, ' 10000*80) { # if longer than about 10,000 "lines", seek relative the end print "Seeking relative the end - long file\n"; seek $spam, - 10000*80, 2; ; } while(my $log = ) { last if $timestamp eq substr $log, 0, length $timestamp; } while(my $log = ) { # Aug 30 11:09:35 straylightpostfix/smtpd[17179]: NOQUEUE: reject: RCPT from mail.marvelconsultants.com[66.94.77.249]: 450 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo= next unless $log =~ m/User unknown in local recipient table/; (my $rechost, my $recip) = $log =~ m/reject: RCPT from ([a-z0-9.-]+)\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]/i; next unless $recip; $spammers{$recip}->[0]++; $spammers{$recip}->[1] ||= $rechost; $spammers{$recip}->[2] ||= $recip; $count++; } print("processed $count messages\n"); my @spammers = sort { $b->[0] $a->[0] } values %spammers; foreach my $spammer (@spammers) { last if $spammer->[0] print(sprintf "block in quick proto tcp from %s/32 to any port = 25 # %d: %s\n", $spammer->[2], $spammer->[0], $spammer->[1]); $pipe->flush; $pipe->close; printf("block in quick proto tcp from %s/32 to any port = 25 # %d: %s\n", $spammer->[2 ], $spammer->[0], $spammer->[1]); } That's pretty damn banal. The story itself is a lot more interesting. Here are my insipid full firewall rules [slowass.net] which don't include most of the things firewall rules usually do... so back to that! Running the first script on the firewall rules, I get these figures:
    total: 2662472 banished hosts that happens to be about 1 in every 1613 hosts that are banished

    I wouldn't mind knowing how to firewall off all of Rusian if you have any thoughts on abusing ARIN ;)
    • Okay, the code tags didn't do what I wanted... let's try pre! #!/usr/bin/perl use bigint; my $count = 0; while(my $ip = ) { chomp $ip; my $mask; ($ip, $mask) = $ip =~ m{block in (?:proto tcp )?quick from ([0-9.]+)/([0-9]+) to any} or print "can't parse: $ip\n"; next unless $ip and $mask; my $numhosts = 1 And then... #!/usr/bin/perl use IO::Handle; use POSIX; # process all bans for the recently passed out (10 minutes ago) my $timestamp = strftime "%b %e %H:", localtime(time() - 600); #
      • Okay, the code tags didn't do what I wanted... let's try pre!

        Yuck! Don't people have a "preview" button any more? Or read the help text under the textarea, when entering their post?

        Try "<ecode>", it'll preserve your formatting.