Skip to content

Instantly share code, notes, and snippets.

@plutocrat

plutocrat/dovecot_summary.sh

Last active September 14, 2021 06:22
Show Gist options
  • Save plutocrat/8a2033923e14670dd13611fc0b51fc0f to your computer and use it in GitHub Desktop.
Save plutocrat/8a2033923e14670dd13611fc0b51fc0f to your computer and use it in GitHub Desktop.
Download ZIP
Grabbing a few key stats from dovecot logs to replace the regular logwatch report
Raw
dovecot_summary.sh
#!/bin/bash
# Future version might store stats in a flatfile DB and then show comparative values, eg +5%, -250%
TEMPFILE=/tmp/dc_temp.log
# Need to cat the last two logs to guarantee 24 hours of data: adjust according to your setup
# zcat -f will deal with uncompressed and gzipped alike
zcat -f /var/log/dovecot.log.1 /var/log/dovecot.log > $TEMPFILE
# Find start hour 24 hours ago. If no match, try 25 hours, 26 hours, etc up to 48 hours
# example format "May 27 06"
for HOUR in $(seq 24 48) ;
do
# Generate the date string for that hour
TRYHOUR=$( date +"%b %d %H" --date="$HOUR hours ago" )
# See if its in the temp file. If not, loop around with a different date
if grep --quiet "$TRYHOUR" $TEMPFILE ; then
# We matched. Exit the do loop.
break
fi
done
# Delete lines before startdate to get the working file
sed -i "0,/^$TRYHOUR/d" $TEMPFILE
## Extracting Data from the tempfile.
STARTDATE=$(head -n 1 $TEMPFILE | awk '{print $1 " " $2 " " $3 }')
ENDDATE=$(tail -n 1 $TEMPFILE | awk '{print $1 " " $2 " " $3 }')
echo "Collecting data from $STARTDATE to $ENDDATE"
echo ""
TOTPOPLOGIN=$(grep pop3-login $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | wc -l )
TOTIMAPLOGIN=$(grep imap-login $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | grep -v " rip=127.0." | wc -l)
TOTWEBLOGIN=$(grep imap-login $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | grep " rip=127.0." | wc -l)
echo "Total Logins:"
echo " POP3 $TOTPOPLOGIN"
echo " IMAP $TOTIMAPLOGIN"
echo " Webmail $TOTWEBLOGIN"
echo ""
echo "Successful logins from these IPs"
grep -P 'imap-login|pop3-login' $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | sed 's/.*rip=//' | cut -d ',' -f 1 | sort | uniq -c | sort -nr | head -n 5
echo ""
if grep -q lport $TEMPFILE ; then
echo "Successful logins on these ports"
grep -P 'imap-login|pop3-login' $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | sed 's/.*lport=//' | cut -d ',' -f 1 | sort | uniq -c | sort -nr
echo ""
fi
# Hacking
echo "Top 5 Password Mismatch Accounts"
grep "Password mismatch" $TEMPFILE | cut -d '(' -f 2 | cut -d ',' -f 1 | sort | uniq -c | sort -nr | head -n 5
echo ""
echo "Top 5 Password Mismatch IP addresses"
grep "Password mismatch" $TEMPFILE | grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' | sort | uniq -c | sort -nr | head -n 5
echo ""
Raw
sample_output.txt
./dovecot_log_summary.sh
Collecting data from Jun 01 16:00:44 to Jun 02 12:24:47
Total Logins:
POP3 719
IMAP 1692
Webmail 0
Successful logins from these IPs
937 45.164.181.113
159 112.21.196.17
123 136.18.34.171
105 183.11.18.126
92 120.129.168.236
Successful logins on these ports
1646 993
540 110
179 995
46 143
Top 5 Password Mismatch Accounts
27 dxa@thisdomain.com
17 bxg@thisdomain.com
13 management@thisdomain.com
8 abuse@thisdomain.com
3 jxy@thisdomain.com
Top 5 Password Mismatch IP addresses
17 199.7.156.137
12 175.176.3.158
11 45.64.81.113
10 110.54.138.57
8 52.96.117.253
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment