search log files for most common hits

If you are having problems with possible attack on your server, check the log files for the most common hits. Many times you will find one page being accessed beyond what would be normal.

va1-fv00150# cat /usr/local/apache/logs/*/*access_log | awk ‘{print $7}’ | sort | uniq -c | sort -rn | head
35806 /administrator/index.php
89 /
37 /robots.txt
30 /favicon.ico
20 /administrator/index.php?option=com_login
16 /imgs/flash.swf
15 /imgs/home.html
14 /wp-login.php
14 /js/AC_RunActiveContent.js
14 /imgs/styles.css

Use this information to find what log file is getting the hits:

va1-fv00150# grep -R “/administrator/index.php” /usr/local/apache/logs/*/*access_log | cut -d: -f1 | sort | uniq -c | sort -rn | head
38313 /usr/local/apache/logs/ibreporttv/
5 /usr/local/apache/logs/goinsidebusiness/

Use mutt to bounce emails to a different account

Login to the server and (as root or the account owner) run ‘mutt -f /path/to/his/mailbox’. From there you can type a capital ‘T’ (for “Tag messages matching the pattern I’m about to enter”), you will then be prompted to enter a pattern to match. Type ‘.’ (to match all strings) and enter. All messages should have an asterisk (“”) next to them.

Now type a semicolon (“;”–the semicolon tells mutt that the action you’re about to take applies to all tagged messages) and a lowercase ‘b’ (for “bounce”. Together ‘;b’ means “bounce all these messages I’ve just tagged”).

You’ll be prompted for an address to bounce the messages to. Type it in and wait a little bit for all the messages to bounce (you may be prompted by mutt to confirm you want to bounce the messages). When mutt tells you that it’s done, you can type semicolon again and then a lowercase ‘d’ (for “delete”). Type a ‘q’ to quit mutt.

count pop3 logins

show users that are sending email:
mail /var/log# grep authid= /var/log/maillog | awk -F “]” ‘{print$3}’ | awk -F , ‘{print$2}’ | tr -d ” ” | sort | uniq -c | sort -rn

show what IP addresses are sending email:
mail /var/log# grep authid= /var/log/maillog | awk -F “]” ‘{print$2}’ | awk -F “[” ‘{print$2}’ | tr -d ” ” | sort | uniq -c | sort -rn

Change max connections for IMAP

On a busy server, the default number of connections allowed for IMAP users might be too low. If you have IMAP customers complaining about connections being refused, you might need to increase the number of simultaneous connections.

Edit the following file:

Restart imapd:
/etc/init.d/courier-imapd restart

Check log file for website “POST” entries

If you have a server that is not responding, there might be an attack on one of the domains. You can get a good idea if a normally low volume website is suddenly getting lots of traffic by running a few checks on the log files.

Count the number of posts to each unique file:
# grep POST /usr/local/apache2/logs/USER/DOMAIN-accesslog | awk ‘{print $7}’ | sort | uniq -c | sort -n 

Count the number of times each IP posted to the domain:
# grep POST /usr/local/apache2/logs/USER/DOMAIN-accesslog | awk ‘{print $1}’ | sort | uniq -c | sort -n

Count the number of unique IP addresses that posted to the domain: 
# grep POST /usr/local/apache2/logs/USER/DOMAIN-access_log | awk ‘{print $1}’ | sort | uniq | wc -l