Sunday, May 26, 2013

How many email connections are coming from where?

Sometimes people want to find out why email's slow, or why they're not able to connect to their email server consistently.  

Often that'll be someone, somewhere on the internet, trying to break into their server via SMTP.  So... to find out how many connections are active right now to port 25 on your server, the following one-liner is really handy.

netstat -ntp|awk '$4 ~ /.*:25/ {sub(":.*", "", $5); print $5}'|sort|uniq -c|sort -n

Bonus points if anyone can come up with a sub() that'll work right for ipv6 addresses. :-)

The following will show pop3 brute-force attempts.

First, find the "maillog" log for your server.  Change to the directory holding that log and run:

egrep "pop3d: Connection" maillog | awk '{print $7}' | awk -F"[" '{print $2}' | sed -e 's/\]//g' | sort  |uniq -c | sort -nr | head -3

Here's another routine that shows email accounts with what IP addresses connected and how many times:

grep "Login:" maillog|for i in `awk '{print $7}'|sort|uniq`; do echo $i; grep " $i" maillog|grep -Po '\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b'|sort|uniq -c |sort -n; done

No comments:

Post a Comment