Over the years of trying to keep denial of service attacks, and a bunch of other people out there trying to take my server down I have developed some one liners that I would like to share with you. I have one liners on Ubuntu Linux that show the amount of connections incoming to your server counts them, and orders them from lowest to highest.
$ netstat -an |grep SERVER_IP:25| awk ‘{print $5}’| awk -F: ‘{print $1}’| sort | uniq -c| sort -n
Example output:
1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5
Here is a one liner that shows the amount of client connections(client=)(email sent) to your postfix server has received in since your last log rotation. Like the previous script this one sorts the IP’s lowest amount of connections to highest.
$ sudo grep client= /var/log/mail.log|grep -v 127.0.0.1|grep -v sasl| awk -F[ '{print $3}'| sed s/]//g| sort | uniq -c | sort -n
Example output:
1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5
Here is another one line script to sort the amount connections to your postfix server. It is different then above. These are connections that are could have sent an email, or not have sent an email. I like to check this just to see if an ip address is abusing my server without sending email. Like the last two scripts the output is in order from lowest to highest.
$ sudo grep “connect from” /var/log/mail.log| grep -v 127.0.0.1|grep -v disconnect| awk -F[ '{print $3}'| sed s/]//| sort | uniq -c | sort -n
Example output:
1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5
