Greg there seems to be a bug in the current script as posted on your site.
If freezes here:
###################################
# Check for other disconnects
grep "dovecot.*Disconnected.*auth failed.*rip=" | sed -e "s/.*rip=//" | cut -d "," -f 1 | grep -v -f $GLOGIP >> $TLOGIP
###################################
I think there is a $TLOGFILE missing.
Please advise as I foolishly wrote over my old version and have temporarily fixed by commenting that line out.
Jason
----- Original Message -----
From: "Greg Kuhnert" <greg.kuhnert (at mark) theanchoragesylvania.com>
To: "BQ List" <coba-e (at mark) bluequartz.org>; "BlueOnyx General Mailing List"
<blueonyx (at mark) blueonyx.it>
Sent: Monday, January 19, 2009 6:52 AM
Subject: [coba-e:14799] dfix.sh Update
> Hi Blue*
>
> After the recent dovecot update, I noticed a log format change to the
> dovecot log files. Theoretically, the reason for running dfix is now gone.
> The old system lockups when our servers are subjected to brute force
> attacks to dovecot appear to be fixed with the current dovecot rpm.
>
> However, preventing system lockups is not the only reason to run dfix.
> Brute force attacks are designed to find bad or weak passwords. dfix will
> detect these attacks and temporarily black-list the attacker's IP address.
>
> Another new feature in the current version is the ability to detect http
> rfi (Remote File Include) attackers. If you upgrade to this version of
> dfix, you may be surprised just how many people are attempting to attack
> your websites.
>
> An explanation of RFI exploits can be found at
> http://en.wikipedia.org/wiki/Remote_File_Inclusion
>
> Anyway, the code for dfix is as always available at
> http://www.gregkuhnert.com/public:bq:dfix
>
> I plan to release another update soon - to cleanup the code.... till then,
> enjoy this version.
>
> Regards,
> Greg.
>