root / plugins / ssh / sshd_invalid_countries @ 17f78427
Historique | Voir | Annoter | Télécharger (2,82 ko)
| 1 | 63535d04 | Hirata Yoshiyuki | #!/usr/bin/php |
|---|---|---|---|
| 2 | <?php |
||
| 3 | # Plugin to monitor the number of invalid access to sshd per country |
||
| 4 | # |
||
| 5 | # Require read permitions for SYSLOG |
||
| 6 | # ref) ls -l /var/log/secure |
||
| 7 | # Require PEAR library Net_GeoIP |
||
| 8 | # ref) http://pear.php.net/package/Net_GeoIP/redirected |
||
| 9 | # Require GeoIP-database to find out the geolocation from ip or host |
||
| 10 | # ref) http://www.maxmind.com/app/geoip_country |
||
| 11 | # |
||
| 12 | # Parameters: |
||
| 13 | # config (required) |
||
| 14 | # autoconf (optional - used by munin-config) |
||
| 15 | # |
||
| 16 | # $Log$ |
||
| 17 | # Revision 1.0 2010/12/23 23:55:01 hirata yoshiyuki |
||
| 18 | # released. |
||
| 19 | # |
||
| 20 | # Magick markers (optional): |
||
| 21 | #%# family=auto |
||
| 22 | #%# capabilities=autoconf |
||
| 23 | # |
||
| 24 | # config example for /etc/munin/plugin-conf.d/munin-node |
||
| 25 | #[sshd_invalid_countries] |
||
| 26 | #user root |
||
| 27 | #group root |
||
| 28 | #env.logfile /var/log/secure |
||
| 29 | #env.geoip /home/you/GeoIP.dat |
||
| 30 | #env.peardir /usr/share/pear/ |
||
| 31 | |||
| 32 | require (isset($_SERVER['peardir']) && $_SERVER['peardir'] != '' ? $_SERVER['peardir'] : '') . 'Net/GeoIP.php'; |
||
| 33 | |||
| 34 | define('SYSLOG', isset($_SERVER['syslog']) && $_SERVER['syslog'] != '' ? $_SERVER['syslog'] : '/var/log/secure');
|
||
| 35 | define('GEOIP_DB', isset($_SERVER['geoip']) && $_SERVER['geoip'] != '' ? $_SERVER['geoip'] : 'GeoIP.dat');
|
||
| 36 | define('AWK_CMD', 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' .
|
||
| 37 | '/sshd\[.*Failed password for (root|ROOT)/{print $11} ' .
|
||
| 38 | '/sshd\[.*Invalid user/{print $10}a\' < ' . SYSLOG);
|
||
| 39 | |||
| 40 | if (isset($argv[1]) && $argv[1] == 'autoconf') {
|
||
| 41 | $fh = @fopen(SYSLOG, 'r'); |
||
| 42 | if ($fh) {
|
||
| 43 | echo "yes\n"; |
||
| 44 | fclose($fh); |
||
| 45 | exit(0); |
||
| 46 | } else {
|
||
| 47 | echo "no\n"; |
||
| 48 | exit(1); |
||
| 49 | } |
||
| 50 | } |
||
| 51 | if (isset($argv[1]) && $argv[1] == 'config') {
|
||
| 52 | echo 'graph_title SSHD invalid countries from ' . SYSLOG . "\n"; |
||
| 53 | echo 'graph_args --base 1000 -l 0' . "\n"; |
||
| 54 | echo 'graph_vlabel number of invalid access per country' . "\n"; |
||
| 55 | 3a6fdce8 | dipohl | echo 'graph_category security' . "\n"; |
| 56 | 63535d04 | Hirata Yoshiyuki | echo 'graph_info This graph shows the countries of invalid access to sshd.' . "\n"; |
| 57 | foreach (get_sshd_invalid_countries() as $country => $cnt) {
|
||
| 58 | echo $country . '.label ' . $country . "\n"; |
||
| 59 | } |
||
| 60 | exit(0); |
||
| 61 | } |
||
| 62 | |||
| 63 | foreach (get_sshd_invalid_countries() as $country => $cnt) {
|
||
| 64 | echo $country . '.value ' . $cnt . "\n"; |
||
| 65 | } |
||
| 66 | |||
| 67 | function get_sshd_invalid_countries() {
|
||
| 68 | $countries = array(); |
||
| 69 | exec(AWK_CMD, $wholeips, $ret); |
||
| 70 | |||
| 71 | if ($ret != 0) return $countries; |
||
| 72 | |||
| 73 | $uniqueips = array_count_values($wholeips); |
||
| 74 | $GeoIP = Net_GeoIP::getInstance(GEOIP_DB); |
||
| 75 | foreach ($uniqueips as $ip => $cnt) {
|
||
| 76 | try {
|
||
| 77 | $country = $GeoIP->lookupCountryName($ip); |
||
| 78 | $countries[$country] = isset($countries[$country]) ? $countries[$country] + $cnt : $cnt; |
||
| 79 | } catch (Exception $e) {
|
||
| 80 | $countries['Unknown'] = isset($countries['Unknown']) ? $countries['Unknown'] + $cnt : $cnt; |
||
| 81 | } |
||
| 82 | } |
||
| 83 | ksort($countries); |
||
| 84 | |||
| 85 | return $countries; |
||
| 86 | } |