qmail-qread – list outgoing messages and recipients

[root@server ~]# /var/qmail/bin/qmail-qread | grep remote | awk -F\@ ‘{print $2}’ |sort | uniq | sort -n
aol.com
bigpond.net.au
comcast.net
gmail.com
hotmail.com
msn.com
nc.rr.com
yahoo.com
yahoo.co.uk

qmHandle – qmail Handler

[root@server ~]# qmHandle -s
Total messages: 225
Messages with local recipients: 0
Messages with remote recipients: 225
Messages with bounces: 0
Messages in preprocess: 0

qmHandle -l                       list all emails in queue
qmHandle -mN                 show email no N from queue
qmHandle -dN                  delete email no N from queue
qmHandle -R                     show remote emails from queue
qmHandle -D                     delete all messages from queue
qmHandle -a                 try to send messages from queue

[root@server ~]# /var/qmail/bin/qmail-qstat
messages in queue: 224
messages in queue but not yet preprocessed: 0

This issue is related to semaphores. To view how many semaphores you have use:

root@hal [~]# sysctl -a | egrep kernel.sem\|kernel.msgmni
kernel.sem = 250 32000 32 128
kernel.msgmni = 16

You can change this values by adding them in /etc/sysctl.conf and then using sysctl -p to activate them.
There is no need to reboot.

To remove sempahores use either one of these commands:

for i in `ipcs -s | grep nobody | awk ‘{print $2}’`; do ipcrm -s $i; done
/scripts/restartsrv_httpd

or in Perl

ipcs -s | grep nobody | perl -e ‘while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}’

or with xargs

ipcs -s | grep nobody | awk ‘ { print $2 } ‘ | xargs ipcrm

or bash style

for ipsemId in $(ipcs -s | grep nobody | cut -f 2 -d ‘ ‘); do ipcrm $ipsemId;done

Other errors :

Cannot create SSLMutex

add in httpd.conf

SSLMutex sem

Probably all of you know already about the ”last” command and what it outputs.

For example here is what my says:

[aibo@lap ~]$ last | more
giani    pts/2        :0.0             Tue Oct 14 21:45   still logged in
giani    pts/6        :0.0             Tue Oct 14 21:06   still logged in
abo     pts/5        :pts/3:S.1       Tue Oct 14 21:06   still logged in
abo     pts/4        :pts/3:S.0       Tue Oct 14 21:05   still logged in
abo     pts/3        lap.x83.net      Tue Oct 14 21:05   still logged in

It very important to choose strong passwords for all accounts, especially root, since it is the #1 attacked account.

Also an other nice tools is ”’lastb”’ which shows the last failed logins.

Top 5 most recently attacked accounts
[root@lap ~]# lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5
      7 root
      2 rancid
      2 giany
      1 btmp
      1

Top 5 most attacked accounts
[root@lap ~]# awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5
    144 root
     30 test
     18 admin
      9 user
      6 webmaster

Top 5 attacker IP addresses
[root@lap ~]# awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5
    397 124.109.44.155
    128 206.169.122.212
    107 89.179.174.40
     24 83.17.92.138
     15 85.25.151.96