root / plugins / ssh / sshd_invalid_countries @ 17f78427
Historique | Voir | Annoter | Télécharger (2,82 ko)
| 1 |
#!/usr/bin/php |
|---|---|
| 2 |
<?php |
| 3 |
# Plugin to monitor the number of invalid access to sshd per country |
| 4 |
# |
| 5 |
# Require read permitions for SYSLOG |
| 6 |
# ref) ls -l /var/log/secure |
| 7 |
# Require PEAR library Net_GeoIP |
| 8 |
# ref) http://pear.php.net/package/Net_GeoIP/redirected |
| 9 |
# Require GeoIP-database to find out the geolocation from ip or host |
| 10 |
# ref) http://www.maxmind.com/app/geoip_country |
| 11 |
# |
| 12 |
# Parameters: |
| 13 |
# config (required) |
| 14 |
# autoconf (optional - used by munin-config) |
| 15 |
# |
| 16 |
# $Log$ |
| 17 |
# Revision 1.0 2010/12/23 23:55:01 hirata yoshiyuki |
| 18 |
# released. |
| 19 |
# |
| 20 |
# Magick markers (optional): |
| 21 |
#%# family=auto |
| 22 |
#%# capabilities=autoconf |
| 23 |
# |
| 24 |
# config example for /etc/munin/plugin-conf.d/munin-node |
| 25 |
#[sshd_invalid_countries] |
| 26 |
#user root |
| 27 |
#group root |
| 28 |
#env.logfile /var/log/secure |
| 29 |
#env.geoip /home/you/GeoIP.dat |
| 30 |
#env.peardir /usr/share/pear/ |
| 31 |
|
| 32 |
require (isset($_SERVER['peardir']) && $_SERVER['peardir'] != '' ? $_SERVER['peardir'] : '') . 'Net/GeoIP.php'; |
| 33 |
|
| 34 |
define('SYSLOG', isset($_SERVER['syslog']) && $_SERVER['syslog'] != '' ? $_SERVER['syslog'] : '/var/log/secure');
|
| 35 |
define('GEOIP_DB', isset($_SERVER['geoip']) && $_SERVER['geoip'] != '' ? $_SERVER['geoip'] : 'GeoIP.dat');
|
| 36 |
define('AWK_CMD', 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' .
|
| 37 |
'/sshd\[.*Failed password for (root|ROOT)/{print $11} ' .
|
| 38 |
'/sshd\[.*Invalid user/{print $10}a\' < ' . SYSLOG);
|
| 39 |
|
| 40 |
if (isset($argv[1]) && $argv[1] == 'autoconf') {
|
| 41 |
$fh = @fopen(SYSLOG, 'r'); |
| 42 |
if ($fh) {
|
| 43 |
echo "yes\n"; |
| 44 |
fclose($fh); |
| 45 |
exit(0); |
| 46 |
} else {
|
| 47 |
echo "no\n"; |
| 48 |
exit(1); |
| 49 |
} |
| 50 |
} |
| 51 |
if (isset($argv[1]) && $argv[1] == 'config') {
|
| 52 |
echo 'graph_title SSHD invalid countries from ' . SYSLOG . "\n"; |
| 53 |
echo 'graph_args --base 1000 -l 0' . "\n"; |
| 54 |
echo 'graph_vlabel number of invalid access per country' . "\n"; |
| 55 |
echo 'graph_category security' . "\n"; |
| 56 |
echo 'graph_info This graph shows the countries of invalid access to sshd.' . "\n"; |
| 57 |
foreach (get_sshd_invalid_countries() as $country => $cnt) {
|
| 58 |
echo $country . '.label ' . $country . "\n"; |
| 59 |
} |
| 60 |
exit(0); |
| 61 |
} |
| 62 |
|
| 63 |
foreach (get_sshd_invalid_countries() as $country => $cnt) {
|
| 64 |
echo $country . '.value ' . $cnt . "\n"; |
| 65 |
} |
| 66 |
|
| 67 |
function get_sshd_invalid_countries() {
|
| 68 |
$countries = array(); |
| 69 |
exec(AWK_CMD, $wholeips, $ret); |
| 70 |
|
| 71 |
if ($ret != 0) return $countries; |
| 72 |
|
| 73 |
$uniqueips = array_count_values($wholeips); |
| 74 |
$GeoIP = Net_GeoIP::getInstance(GEOIP_DB); |
| 75 |
foreach ($uniqueips as $ip => $cnt) {
|
| 76 |
try {
|
| 77 |
$country = $GeoIP->lookupCountryName($ip); |
| 78 |
$countries[$country] = isset($countries[$country]) ? $countries[$country] + $cnt : $cnt; |
| 79 |
} catch (Exception $e) {
|
| 80 |
$countries['Unknown'] = isset($countries['Unknown']) ? $countries['Unknown'] + $cnt : $cnt; |
| 81 |
} |
| 82 |
} |
| 83 |
ksort($countries); |
| 84 |
|
| 85 |
return $countries; |
| 86 |
} |