Run: ./install.sh
Or:
  Copy assblocker to /usr/local/sbin .
  Copy assblocker.conf-sample.php to /etc as assblocker.conf.php
  Copy assblocker.1 to /usr/local/share/man/man1

You will probably have to adjust the regexes by adding overrides to assblocker.conf.php
if you are not using Postfix with Dovecot.

Assblocker is designed to operate continuously through a switch from "traditional" syslog
line formats, and the ISO 8601 format.  That's why there are regexes for each format.
If you're already using ISO 8601 format, you can just ignore the traditional regexes.

For best results, Postfix or whatever MTA you use should send SMTP failure emails to a
Maildir so they can be processed by assblocker.

In Postfix's main.cf:
---------------------
# Error notice recipients
bounce_notice_recipient  = postmaster+bounces@example.com
2bounce_notice_recipient = postmaster+2bounces@example.com
error_notice_recipient   = postmaster+errors@example.com


In /etc/assblocker.conf.php:
----------------------------
Settings are in the format:
$setting=value; for numbers and booleans (TRUE or FALSE) and
$setting='string'; for strings.

•$debug=TRUE; Turns on debugging message output (default: FALSE)

•$ttl Default Time To Live in Days for blocking (default: $ttl=30;)

•$syslog Whether or not to log to syslog. (default: $syslog=TRUE;)

•$cycle How long to wait between monitoring cycles in seconds. (default: $cycle=5;)

•$blocklist File containing the IPs and timestamps for transient blocks. (default: $blocklist='/etc/block.ips';)

•$permanentblocks File containing the permanent blocks. (default: $permanentblocks='/etc/rc.blocker';)

•$block Firewall command to block. "{IP}" should appear in the command where the IP address goes.
 (default: $block='/usr/sbin/iptables -A INPUT -s {IP} -j DROP >/dev/null 2>&1';)

•$unblock Firewall command to unblock. "{IP}" should appear in the command where the IP address goes.
 (default: $unblock='/usr/sbin/iptables -D INPUT -s {IP} -j DROP >/dev/null 2>&1';)

•$exempt[] An IP address or DNS name to be exempt from blocking. You can exempt multiple addresses and names by specifying this setting more than once. Examples:
 $exempt[]='192.168.0.1';
 $exempt[]='an.example.com';

•$permanent[] A type and base DNS name to be permanently blocked on-sight. You can permanently block multiple base names by specifying this setting more than once. Examples:
 $permanent[]=['type' => 'a', 'domain' => 'asshole.com']; # blocks all names ending in .asshole.com
 $permanent[]=['type' => 'v', 'domain' => 'asshole.net']; # blocks all names ending in .asshole.net

Valid types are 'a' for attackers, and 'v' for validators.

•$mailblock['reason']='Message'; Examples:
 $mailblock['attempt to auth']=' Out: 503 5.5.1 Error: authentication not enabled';

 This blocks IPs based on emails sent by Postfix for failed SMTP sessions. 'reason' is a short string
 you make up to describe the error.

 Note this must match the entire line from the session, including the leading space.

•$regextrad PCRE regex to match $maillog failed authentication lines using traditional timestamps.
 The first match should be the month, the second match should be the day of the month,
 the third match the time, the fourth match the e-mail address, the fifth match the IP address,
 and the sixth match the reason for the authentication failure.
 (default: '^([A-Za-z]+)\s+([0-9]+) ([0-9:]+) .* dovecot: auth-worker\(.* sql\(([a-zA-Z0-9@.-]+),([0-9.]+)[,\)].*: (unknown user|Password mismatch)$';)

•$regexiso PCRE regex to match $maillog failed authentication lines using ISO 8601 timestamps.
 The first match should be the ISO 8601 timestamp, the second match the e-mail address,
 the third match the IP address, and the fourth match the reason for the authentication failure.
 (default: $regexiso='^([0-9T:.-]+) .* dovecot: auth-worker(.* sql\(([a-zA-Z0-9@.-]+),([0-9.]+)[,\)].*: (unknown user|Password mismatch)$';)

•$regextradperm PCRE regex to match $maillog permanent block lines using traditional timestamps.
 The first match should be the month, the second match should be the day of the month, the third match the time,
 the fourth match the hostname, the fifth match the IP address.
 (default: $regextradperm='^([A-Za-z]+)s+([0-9]+) ([0-9:]+) .+ .+/smtpd\[.*: connect from (.+){NAME}\[(.*)\]$';)

•$regexisoperm PCRE regex to match $maillog permanent block lines using ISO 8601 timestamps.
 The first match should be the ISO 8601 timestamp, the second match the hostname, the third match the IP address.
 (default: $regexisoperm='^([0-9T:.-]+) .+ .+/smtpd\[.*: connect from (.+){NAME}\[(.*)\]$';)

•$mailfrom E-mail address mail from assblocker is sent from. (default: $mailfrom='assblocker@hostname';

•$mailfromname Descriptive name mail is sent from. (default: $mailfromname='assblocker monitor service';)

•$mailto E-mail address to send mail from assblocker to. (default: $mailto='root@hostname';)

•$mailtoname Descriptive name mail is sent to. (default: $mailtoname='Mail Administrator';)

•$maillog Path to mail server logfile to monitor. (default: $maillog='/var/log/mail.log';)

•$silentmax How long to remain silent if the monitored file is missing in seconds. (default: $silentmax=30;)

•$pidpath The path to the PID file directory (default: $pidpath='/var/run';)

•$lockfile The path to the lockfile. (default: $lockfile="$pidpath/assblocker.lock";)

•$lockwait How long to wait for the lock, in seconds. (default: $lockwait=180;) 
