Check Top SMTP Auth Users in a day
#Written by Michael Frost - 13/02/2014
#Script to check number of Auths on date.
date=`date | awk -F ' ' '{print $2, $3}'`
HIGHEST=900
rm -f /tmp/authusers.txt
rm -f /tmp/troublemakers.txt
rm -f /tmp/mailtech.txt
touch /tmp/troublemakers.txt
touch /tmp/authusers.txt
touch /tmp/mailtech.txt
#echo SMTP Auth Checks - Scan run on: $date > /tmp/authusers.txt
# Parse all smtp auth data from log file
cat /var/log/mail.log | grep "^$date" |grep 'sasl_username=' | awk -F ',' '{ print $3 }' | awk -F '=' '{ print $2 }' | sort | uniq -c | sort -g -r >> /tmp/authusers.txt
# Now check and let tech know.
head /tmp/authusers.txt > /tmp/troublemakers.txt
more /tmp/troublemakers.txt | while read line
do
arrayline=($line)
if [ ${arrayline[0]} -gt $HIGHEST ]; then
echo SMTP Auth Problem!! More than $HIGHEST Auths! Block ASAP - Scan run on: $date > /tmp/mailtech.txt
echo ${arrayline[0]} ${arrayline[1]} >> /tmp/mailtech.txt
mail -s "Zimbra Auth Alert" [YOURMAILADDRESS] < /tmp/mailtech.txt
fi
done
#Script to check number of Auths on date.
date=`date | awk -F ' ' '{print $2, $3}'`
HIGHEST=900
rm -f /tmp/authusers.txt
rm -f /tmp/troublemakers.txt
rm -f /tmp/mailtech.txt
touch /tmp/troublemakers.txt
touch /tmp/authusers.txt
touch /tmp/mailtech.txt
#echo SMTP Auth Checks - Scan run on: $date > /tmp/authusers.txt
# Parse all smtp auth data from log file
cat /var/log/mail.log | grep "^$date" |grep 'sasl_username=' | awk -F ',' '{ print $3 }' | awk -F '=' '{ print $2 }' | sort | uniq -c | sort -g -r >> /tmp/authusers.txt
# Now check and let tech know.
head /tmp/authusers.txt > /tmp/troublemakers.txt
more /tmp/troublemakers.txt | while read line
do
arrayline=($line)
if [ ${arrayline[0]} -gt $HIGHEST ]; then
echo SMTP Auth Problem!! More than $HIGHEST Auths! Block ASAP - Scan run on: $date > /tmp/mailtech.txt
echo ${arrayline[0]} ${arrayline[1]} >> /tmp/mailtech.txt
mail -s "Zimbra Auth Alert" [YOURMAILADDRESS] < /tmp/mailtech.txt
fi
done
Comments