I noticed some interesting DNS error messages in my syslog and wanted to find out who the biggest offenders were.
sudo grep named /var/log/syslog | awk -F”: ” ‘{print $3}’ | grep ‘^[0-9]‘ | sort > dns_harass_ip.txt
for ip in $(uniq dns_harass_ip.txt); do echo -n `grep -c “$ip” dns_harass_ip.txt` && echo ” — $ip”; done | sort -nr
Let’s break these down and explain.
- sudo grep named /var/log/syslog: Show any syslog messages from named
- awk -F”: ” ‘{print $3}’: Using the characters colon-space as a delimiter, print the third field (IP)
- grep ‘^[0-9]‘: Only show fields that start with a number (IP)
- sort > dns_harass_ip.txt: Sort and dump the IP addresses
- for ip in $(uniq dns_harass_ip.txt); do: For each unique IP address
- echo -n `grep -c “$ip” dns_harass_ip.txt`: Print, without a newline, the number of occurrences
- echo ” — $ip”: Then print, with a newline, the actual IP address
- sort -nr: Sort by numeric value in reverse, or descending, order
That’s all. From there you can firewall any outstanding offenders or select a different course of action.
