<html> <body> <h2>Discover honeypot addresses</h2> To discover actual addresses for detection, examine your <i>syslog</i> output for addresses that were rejected as unknown. One way to do this might look like the following, where the actual command is on huge line: <code><ul> % cd /var/log<br> % grep "User unknown" syslog* | sed -e 's/.*<//' -e 's/>.*//' -e 's/\.\.\..*//' | sort | uniq -c | sort -n<br> </ul></code> Here, your mail log file might be called <code>maillog</code> or something else (see your <i>/etc/syslog.conf</i> file if in doubt). Partial output of this command might look like this: <code><ul> 11 janaina.broca@your.domain<br> 12 gj@your.domain<br> 12 gkjhjkhjk@your.domain<br> 13 helen@your.domain<br> 14 asd@your.domain<br> 15 BC1@your.domain<br> 19 CGBNCDHB@your.domain<br> 30 a@your.domain<br> 34 da@your.domain<br> 47 y8jhbg@your.domain<br> 51 cgbncdhb@your.domain<br> </ul></code> Since these hit your site, you should put the ones you find in your <b>slow.honey</b> and <i>/etc/mail/aliases</i> files. </body> </html>
| # | Change | User | Description | Committed | |
|---|---|---|---|---|---|
| #1 | 3998 | bryan_costales |
Brought the whole distribution up to V0.9 Added a huge abount of documentation. Added slowedit find Created startup scripts to launch for testing Fixed numerous bugs. Fixed a few portablity issues. Installed hooks for whitelisting and IP aliases. |