ASSBLOCKER(1) Linux User Manuals ASSBLOCKER(1)

assblocker - Blocks IPv4 addresses of assholes at the local firewall by manual use and automatically by monitoring mail log files and Postfix error mails. Does not support the shitshow that are IPv6 addresses, which you shouldn't be allowing on mail servers anyway, due to the shitshow of trying to get IPv6 e-mail into the shitshow known as Google Inc.

assblocker [-v|--version] [-h|--help] [-r|--run] [-D|--daemonize] [-R|--restart] [-S|--stop] [-w|--show] [-u|--unblock IP IP ...] [-n|--name] [-U|--unblockall] [-s|--stats] [-e|--expire] [-t|--type] [-p|--permanent] [IP IP ...]

assblocker Temporarily or permanently blocks or unblocks IP addresses given on command-line, or in --run and --daemonize modes, monitors the mail server logfile and Postfix SMTP session error mails to block assholes trying to guess SASL passwords, and assholes probing the mail server for vulnerabilities. Also allows permanently blocking verifiers and abuse-as-a-service services by domain names entered into the configuration file. IP addresses can be whitelisted in the configuration file by IP address or DNS name.

-v, --version

Shows assblocker version and exits.

-h, --help

Shows brief help and exits.

-r, --run

Runs assblocker in the foreground, use this mode for systemd, or for diagnostic purposes with $debug turned on in the configuration file.

-d, --daemonize

Runs assblocker daemonized, useful for running from cron.

[-R|--restart]

Restarts a running instance of assblocker.

[-L|--reload]

Reloads certain settings in a running instance of assblocker. Only the $ttl, $exempt, and $permanent settings will be reloaded from the configuration file. You must restart for any other settings to take effect.

[-S|--stop]

Stops a running instance of assblocker.

[-w|--show]

Shows the list of transiently-blocked IPs along with the timestamp corresponding to when the blocking period started.

[-u|--unblock IP IP ...]

Unblocks the IP address(es). Unblocking of transient blocks unless --permanent is used.

[-U|--unblockall]

Unblocks all transiently-blocked IPs.

[-s|--stats]

Shows the current TTL and the number of transient blocked IPs.

[-b|--both]

Only valid for --unblock. Attempts to unblock IP from both temporary and permanent blockings, even though an IP should only appear on one list or the other.

[-n|--name]

Sets the hostname for the IP to block (permanent blocking).

[-t|--type]

Sets the type of the IPs to block ('a'=attacker, 'u'=unknown, 'v'=verifier for permanent blocking).

[-e|--expire]

Manually unblocks IP addresses whose TTL has expired.

[-p|--permanent]

Used to make a blocking permanent or to remove a permanent blocking.

[IP IP ...]

IP addresses to transiently block for the duration of the TTL setting. Makes permanent blocks if --permanent is specified.

assblocker must be configured as needed in the file /etc/assblocker.conf.php

All PHP files must start with "<?php" Settings are in the format:
$setting=value; for numbers and booleans (TRUE or FALSE) and
$setting='string'; for strings.

•$debug=TRUE; Turns on debugging message output (default: FALSE)

•$ttl Default Time To Live in Days for blocking (default: $ttl=30;)

•$syslog Whether or not to log to syslog. (default: $syslog=TRUE;)

•$cycle How long to wait between monitoring cycles in seconds. (default: $cycle=5;)

•$blocklist File containing the IPs and timestamps for transient blocks. (default: $blocklist='/etc/block.ips';)

•$permanentblocks File containing the permanent blocks. (default: $permanentblocks='/etc/rc.blocker';)

•$block Firewall command to block. "{IP}" should appear in the command where the IP address goes. (default: $block='/usr/sbin/iptables -A INPUT -s {IP} -j DROP >/dev/null 2>&1';)

•$unblock Firewall command to unblock. "{IP}" should appear in the command where the IP address goes. (default: $unblock='/usr/sbin/iptables -D INPUT -s {IP} -j DROP >/dev/null 2>&1';)

•$exempt[] An IP address or DNS name to be exempt from blocking. You can exempt multiple addresses and names by specifying this setting more than once. Examples:
$exempt[]='192.168.0.1';
$exempt[]='an.example.com';

•$permanent[] A type and base DNS name to be permanently blocked on-sight. You can permanently block multiple base names by specifying this setting more than once. Examples:
$permanent[]=['type' => 'a', 'domain' => 'asshole.com']; # blocks all names ending in .asshole.com
$permanent[]=['type' => 'v', 'domain' => 'asshole.net']; # blocks all names ending in .asshole.net

Valid types are 'a' for attackers, and 'v' for validators.

•$mailblock['reason']='Message'; Examples:
$mailblock['attempt to auth']=' Out: 503 5.5.1 Error: authentication not enabled';

This blocks IPs based on emails sent by Postfix for failed SMTP sessions. 'reason' is a short string you make up to describe the error.

Note this must match the entire line from the session, including the leading space.

•$regextrad PCRE regex to match $maillog failed authentication lines using traditional timestamps. The first match should be the month, the second match should be the day of the month, the third match the time, the fourth match the e-mail address, the fifth match the IP address, and the sixth match the reason for the authentication failure.
(default: '^([A-Za-z]+)\s+([0-9]+) ([0-9:]+) .* dovecot: auth-worker\(.* sql\(([a-zA-Z0-9@.-]+),([0-9.]+)[,\)].*: (unknown user|Password mismatch)$';)

•$regexiso PCRE regex to match $maillog failed authentication lines using ISO 8601 timestamps. The first match should be the ISO 8601 timestamp, the second match the e-mail address, the third match the IP address, and the fourth match the reason for the authentication failure.
(default: $regexiso='^([0-9T:.-]+) .* dovecot: auth-worker(.* sql\(([a-zA-Z0-9@.-]+),([0-9.]+)[,\)].*: (unknown user|Password mismatch)$';)

•$regextradperm PCRE regex to match $maillog permanent block lines using traditional timestamps. The first match should be the month, the second match should be the day of the month, the third match the time, the fourth match the hostname, the fifth match the IP address.
(default: $regextradperm='^([A-Za-z]+)s+([0-9]+) ([0-9:]+) .+ .+/smtpd\[.*: connect from (.+){NAME}\[(.*)\]$';)

•$regexisoperm PCRE regex to match $maillog permanent block lines using ISO 8601 timestamps. The first match should be the ISO 8601 timestamp, the second match the hostname, the third match the IP address.
(default: $regexisoperm='^([0-9T:.-]+) .+ .+/smtpd\[.*: connect from (.+){NAME}\[(.*)\]$';)

•$mailfrom E-mail address mail from assblocker is sent from. (default: $mailfrom='assblocker@hostname';

•$mailfromname Descriptive name mail is sent from. (default: $mailfromname='assblocker monitor service';)

•$mailto E-mail address to send mail from assblocker to. (default: $mailto='root@hostname';)

•$mailtoname Descriptive name mail is sent to. (default: $mailtoname='Mail Administrator';)

•$maillog Path to mail server logfile to monitor. (default: $maillog='/var/log/mail.log';)

•$silentmax How long to remain silent if the monitored file is missing in seconds. (default: $silentmax=30;)

•$pidpath The path to the PID file directory (default: $pidpath='/var/run';)

•$lockfile The path to the lockfile. (default: $lockfile="$pidpath/assblocker.lock";)

•$lockwait How long to wait for the lock, in seconds. (default: $lockwait=180;)

Ron Guerin <ron@vnetworx.net>
assblocker can be found at https://gothamcode.com/assblocker and bugs/patches can be submitted by email.

2025-08-12 March 2025