Exim4, grep the log files: Difference between revisions

From Andreida
(Created page with "=== IPs with failed login === List all IPs whit a failed login and give a count of how often they tried (maxed by deleted old log files) zgrep -o 'failed for (\[.*\])' /var/l...")
 
No edit summary
 
Line 2: Line 2:
List all IPs whit a failed login and give a count of how often they tried (maxed by deleted old log files)
List all IPs whit a failed login and give a count of how often they tried (maxed by deleted old log files)
zgrep -o 'failed for (\[.*\])' /var/log/exim4/rejectlog.* | grep -o '\[.*\]' | sed 's/^.//' | sed 's/.$//' | sort | uniq -c | sort -n
zgrep -o 'failed for (\[.*\])' /var/log/exim4/rejectlog.* | grep -o '\[.*\]' | sed 's/^.//' | sed 's/.$//' | sort | uniq -c | sort -n

=== often accepted ===
Sometimes you want to be able to find out which emails are more often used for spam (rejected) or what domains are only rejected or whatever.
A starter for your investigation could be something like this:
zgrep petra /var/log/exim4/mainlog* | grep -v reject | grep -o 'From .*' | awk '{ print $2 }' | sort | uniq -c | sort -n

The above script would
* do a grep over all exim4 main logs
* filter for lines where "petra" is mentioned
* filter out lines which contain "reject"
* remove everything from the lines up to the word 'From '
* print the second ($2) column of the output
* sort the output
* remove duplicates and start each line with the count of occurrences of that line

=== how often rejected as login name ===
Very often people try to hack your server. They will try the pre-@ part of e-mail-addresses or other common stuff and use a dictionary for the password.

This will show you for Exim the rejected usernames and their count:
zgrep -o -h 'set_id=[a-zA-Z0-9@\.-]*' /var/log/exim4/rejectlog.* | cut -d= -f2 | sort | uniq -c | sort -n

Latest revision as of 22:51, 6 June 2023

IPs with failed login

List all IPs whit a failed login and give a count of how often they tried (maxed by deleted old log files)

zgrep -o 'failed for (\[.*\])' /var/log/exim4/rejectlog.* | grep -o '\[.*\]' | sed 's/^.//' | sed 's/.$//' | sort | uniq -c | sort -n

often accepted

Sometimes you want to be able to find out which emails are more often used for spam (rejected) or what domains are only rejected or whatever. A starter for your investigation could be something like this:

zgrep petra   /var/log/exim4/mainlog* | grep -v reject | grep -o 'From .*' | awk '{ print $2 }' | sort | uniq -c | sort -n

The above script would

  • do a grep over all exim4 main logs
  • filter for lines where "petra" is mentioned
  • filter out lines which contain "reject"
  • remove everything from the lines up to the word 'From '
  • print the second ($2) column of the output
  • sort the output
  • remove duplicates and start each line with the count of occurrences of that line

how often rejected as login name

Very often people try to hack your server. They will try the pre-@ part of e-mail-addresses or other common stuff and use a dictionary for the password.

This will show you for Exim the rejected usernames and their count:

zgrep -o -h 'set_id=[a-zA-Z0-9@\.-]*' /var/log/exim4/rejectlog.* | cut -d= -f2 | sort | uniq -c | sort -n