Koozali.org: home of the SME Server

Hack Attempts log parser

Offline apmuthu

  • *
  • 244
  • +0/-0
Hack Attempts log parser
« on: August 04, 2020, 08:37:02 AM »
Here is a script to extract the files involved in SME server hack attempts whenever a "File does not exist" error occurs:
Code: [Select]
EXTIP=`curl -s ifconfig.me/ip`
grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt
# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt

Maybe someone can make a contrib package to filter common errors like the above.

Offline ReetP

  • *
  • 3,869
  • +5/-0
Re: Hack Attempts log parser
« Reply #1 on: August 04, 2020, 09:05:49 PM »
Add them to the wiki please - I think there is a 'useful commands' bit (and note that ipconfig is being deprecated and you should use `ip`)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: Hack Attempts log parser
« Reply #2 on: August 05, 2020, 03:48:55 AM »
Please point me to where "ipconfig" is used and the actual url that is current now. I had used "ifconfig.me/ip".

Added it to the wiki at:
https://wiki.contribs.org/Useful_Commands#Log
« Last Edit: August 05, 2020, 03:55:59 AM by apmuthu »

Offline ReetP

  • *
  • 3,869
  • +5/-0
Re: Hack Attempts log parser
« Reply #3 on: August 05, 2020, 09:40:36 AM »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: Hack Attempts log parser
« Reply #4 on: August 06, 2020, 03:20:48 AM »
I only used the "ifconfig.me" web service and not the "ifconfig" command.

Anyway, thanks for the info on "ifconfig" deprecated state as also are arp, route and
netstat.

There is a nice discussion on this deprecated state at:
https://serverfault.com/questions/458628/should-i-quit-using-ifconfig

Redhat Article:
https://www.redhat.com/sysadmin/ifconfig-vs-ip

The common commands in the new dispensation are:
Code: [Select]
ip addr show
ip addr show eth0
ip link show

"ip" provides much, much more features. Of course it is more complex. Anyway, many commands can be shortened. e.g. "ip addr show" can be shortened to "ip a", "ip link show" to "ip l", "ip link set eth0 up" to "ip l set eth0 up" and so on. This brings "ip" on par with "ifconfig".
« Last Edit: August 06, 2020, 03:42:27 AM by apmuthu »