How to get the list of incoming connections with email addresses and geo localization in Zimbra

Posted on by

zimbra
Bellow script will list incoming connections and remote ip geo localization of the server, it will search in logs file emails addresses related to the remote ip address.

#!/bin/bash
format="%30s %15s %20s %60s\n\n"
header="%30s %15s %20s %60s\n"
INFO=/tmp/info$1.tmp
ZIMBRALOG=/var/log/zimbra.log*
AUDITLOG=/opt/zimbra/log/audit.log*
MAILBOXLOG=/opt/zimbra/log/mailbox.log*
IPDB=ipinfo.io/
PORT=$1
COUNTER=0
echo "==========================================================="
echo "Check connection on port $1"
echo "==========================================================="
echo ""
printf "$header" "EMAIL" "IP" "COUNTRY" "HOSTNAME"
echo ""
IP=`netstat -an | grep ":$PORT " | grep "ESTABLISHED" | awk '{print $5}' | cut -d ':' -f1 | awk '!a[$0]++'`
for i in $IP; do
        if [ $i != 0.0.0.0 ] && [[ $i != *"192.168."* ]] && [[ $i != *"127.0."*  ]]
        #if [ $i != 0.0.0.0 ] && [[ $i != *"127.0."*  ]]
        then `geoiplookup $i > $INFO 2>&1`;
                IP=$i;
                EMAIL=`cat $ZIMBRALOG | grep -E -o "\[$i\] <+[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+>" | tail -1 | awk '{print $2}' | tr -d '<>'`
                if [ ${#EMAIL} == 0  ]
                then
                        EMAIL=`zcat $ZIMBRALOG.*.gz | grep -E -o "\[$i\] <+[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+>" | tail -1 | awk '{print $2}' | tr -d '<>'`
                fi
                if [ ${#EMAIL} == 0  ]
                then
                        EMAIL=`cat $AUDITLOG | grep -E -o "\[ip=$i;\] [a-zA-Z0-9.-]* [a-zA-Z0-9.-]* [a-zA-Z0-9.-=;]* account=[a-zA-Z0-9.-]*@[a-zA-Z0-9.-]*\.[a-zA-Z0-9.-]*" | awk '{print $5}' | cut -d "=" -f 2 | tail -1 | tr -d '<>'`
                fi
                if [ ${#EMAIL} == 0  ]
                then
                        EMAIL=`zcat $AUDITLOG.*.gz | grep -E -o "\[ip=$i;\] [a-zA-Z0-9.-]* [a-zA-Z0-9.-]* [a-zA-Z0-9.-=;]* account=[a-zA-Z0-9.-]*@[a-zA-Z0-9.-]*\.[a-zA-Z0-9.-]*" | awk '{print $5}' | cut -d "=" -f 2 | tail -1 | tr -d '<>'`
                fi
                if [ ${#EMAIL} == 0 ]
                then
                        EMAIL=`cat $MAILBOXLOG | grep -E -o "name=[a-zA-Z0-9.-]*@[a-zA-Z0-9.-]*\.[a-zA-Z0-9.-]*;mid=23;ip=$i;" | cut -d "=" -f 2 | cut -d ";" -f 1 | tail -1 | tr -d '<>'`
                fi
                if [ ${#EMAIL} == 0 ]
                then
                        EMAIL=`zcat $MAILBOXLOG.*.gz | grep -E -o "name=[a-zA-Z0-9.-]*@[a-zA-Z0-9.-]*\.[a-zA-Z0-9.-]*;mid=23;ip=$i;" | cut -d "=" -f 2 | cut -d ";" -f 1 | tail -1 | tr -d '<>'`
                fi
                if [ "$EMAIL" == "" ]
                then
                        EMAIL="NotFound"
                fi
                COUNTRY=`cat $INFO`
                HOST=`host $i`
                printf "$format" "$EMAIL" $IP "$COUNTRY" "$HOST"
                COUNTER=$(($COUNTER+1))
        fi
done
echo "==========================================================="
echo "There $COUNTER current connection(s) on port $1"
echo "==========================================================="

usage : ./script.sh {port}

exemple :

zimbra@mail:~/scripts$ ./script.sh 443
===========================================================
Check connection on port 443
===========================================================
EMAIL            IP             COUNTRY                               HOSTNAME
user@domain.com  80.234.199.12  GeoIP Country Edition: FR, France     11.133.233.222.in-addr.arpa domain name pointer xxx.cable.dynamic.telecom.net.
...

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.