mail-scripts/pf_bruteforce.sh

#!/bin/sh

limit=50
maillog=/var/log/maillog
rl_logd=/var/www/blackmail.sh/rainloop/data/_data_/_default_/logs/fail2ban/
rl_logf=$rl_logd/auth-$(date '+%Y-%m-%d').txt

_rainloop() {
    if test -f $rl_logf; then
        cat $rl_logf \
            | sed 's/.*ip=\([0-9\.]*\).*/\1/'
    fi
}
_dovecot() {
    grep 'auth failed' $maillog \
        | sed 's/.*rip=\([0-9\.]*\).*/\1/'
}
_smtpd() {
    for envid in $(grep '535 Auth' $maillog | awk '{ print $6 }'); do
        grep "$envid smtp connected" $maillog \
            | sed 's/.*address=\([0-9\.]*\).*/\1/'
    done
}

tmpf=$(mktemp)

( _rainloop; _dovecot; _smtpd ) \
    | sort | uniq -c \
    | awk '$1 > '$limit' { print $2 }' > $tmpf

for ip in $(cat $tmpf); do
    if ! pfctl -t bruteforce -T test $ip 2>/dev/null; then
        pfctl -t bruteforce -T add $ip
    fi
done
rm $tmpf