Find Bad Mail Login Attempts

Find the number of failed logins per IP address in the maillog

sudo tail -100000 /var/log/maillog | grep "auth failed" | cut -c 60- | awk -F"[ =,]" '{count[$16] += $4}END{for(i in count)print count[i] " - " i}' | sort -rn | head -15

find bad login attempts and catalog the main target emails for the top 15 IP addresses.

sudo tail -100000 /var/log/maillog | grep "auth failed" | cut -c 60- | awk -F"[ =,]" '{count[$16][0] += $4; count[$16][1] = $16; count[$16][2][$10][0] += 1; count[$16][2][$10][1] = $10} function compr(il,vl,ir,vr,a,b){return b[0]-a[0]} END{printed = 0; asort(count, listing, "compr"); for(i in listing){ printed++; if(printed>15){break} print listing[i][0] " - " listing[i][1]; asort(listing[i][2], emails, "compr"); subprint = 0; for(x in emails){ subprint++; if(subprint>15){break} print " " emails[x][0] " - " emails[x][1] } } }'

An older script that does the same thing without awk

failAuth=$(sudo tail --lines=50000 /var/log/maillog | grep -i "auth failed"); echo "$failAuth" | grep -oE 'rip=((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' | cut -c 5- | sort | uniq -c | sort -nr | head -15 | while read in; daIp=$(echo "$in" | grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])'); do echo "$in"; echo "$failAuth" | grep "rip=$daIp" | grep -oE 'user=<.*meth' | cut -c 7- | sed 's/.\{7\}$//' | sort | uniq -c | sort -nr; done; unset failAuth;