DEV Community

Yaroslav Polyakov
Yaroslav Polyakov

Posted on

topip: who abusing your server?

One day you check logs and see your mail.log or access.log is 10 times bigger then usual. Need to find reason, and better to find it sooner!

For webserver, maybe someone is aggressively downloading/crawling/scraping your website or runs vulnerability scanner or bruteforce passwords. For mailserver, maybe someone is sending spam or bruteforce passwords. Or something else.

topip can quickly find top-N of IPv4 addresses in your logs.

topip /var/log/mail.log
...
    8405 92.155.149.266
    8496 35.142.45.298
   66340 127.0.0.1
Enter fullscreen mode Exit fullscreen mode

or

grep "SASL LOGIN authentication failed:" /var/log/mail.log | topip
Enter fullscreen mode Exit fullscreen mode

with -g key you can grep lines which has any IPv4 (and omit lines without IPv4). With -i only IPv4 addresses will be printed.

topip -g /var/log/mail.log

Oct  9 05:48:25 mx postfix/smtpd[2166]: connect from unknown[191.211.100.228]
Oct  9 05:48:26 mx postfix/smtpd[2162]: connect from unknown[103.129.202.216]
Oct  9 05:48:30 mx postfix/smtpd[2166]: warning: unknown[191.211.100.228]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Enter fullscreen mode Exit fullscreen mode

Topip is written in Golang and very fast.

You can achieve similar effect with sed/awk/sort/uniq, but isn't it easier to write topip filename.log?

https://github.com/yaroslaff/topip

Top comments (0)