root / plugins / ssh / sshd_invalid_countries_ruby @ 17f78427
Historique | Voir | Annoter | Télécharger (2,17 ko)
| 1 |
#!/usr/bin/env ruby |
|---|---|
| 2 |
# Plugin to monitor the number of invalid access to sshd per country |
| 3 |
# |
| 4 |
# Require read permitions for SYSLOG |
| 5 |
# ref) ls -l /var/log/secure |
| 6 |
# Require geoip rubygem |
| 7 |
# ref) http://geoip.rubyforge.org/ |
| 8 |
# Require GeoIP-database for searching ip or host for the country |
| 9 |
# ref) http://www.maxmind.com/app/geoip_country |
| 10 |
# |
| 11 |
# Parameters: |
| 12 |
# config (required) |
| 13 |
# autoconf (optional - used by munin-config) |
| 14 |
# |
| 15 |
# $Log$ |
| 16 |
# Revision 1.0 2010/12/25 11:56:12 hirata yoshiyuki |
| 17 |
# released. |
| 18 |
# |
| 19 |
# Magick markers (optional): |
| 20 |
#%# family=auto |
| 21 |
#%# capabilities=autoconf |
| 22 |
# |
| 23 |
# config example for /etc/munin/plugin-conf.d/munin-node |
| 24 |
#[sshd_invalid_countries_ruby] |
| 25 |
#user root |
| 26 |
#group root |
| 27 |
#env.logfile /var/log/secure |
| 28 |
#env.geoip /home/you/GeoIP.dat |
| 29 |
#env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/ |
| 30 |
|
| 31 |
require (ENV['loadpath'] || '') + 'geoip' |
| 32 |
|
| 33 |
SYSLOG = ENV['syslog'] || '/var/log/secure' |
| 34 |
GEOIP_DB = ENV['geoip'] || '/var/www/conf/bbs/GeoIP.dat' |
| 35 |
AWK_CMD = 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' +
|
| 36 |
'/sshd\[.*Failed password for (root|ROOT)/{print $11} ' +
|
| 37 |
'/sshd\[.*Invalid user/{print $10}a\' < ' + SYSLOG
|
| 38 |
|
| 39 |
def getInvalids |
| 40 |
c={}
|
| 41 |
wholeips = `#{AWK_CMD}`.split("\n")
|
| 42 |
uniqueips = wholeips.inject({}) do |hash, key|
|
| 43 |
hash.include?(key) ? hash[key] += 1 : hash[key] = 1; |
| 44 |
hash |
| 45 |
end |
| 46 |
geoip = GeoIP.new(GEOIP_DB) |
| 47 |
uniqueips.each do |ip,cnt| |
| 48 |
begin |
| 49 |
country = geoip.country(ip)[5] |
| 50 |
c[country] = c[country] ? c[country] + cnt : cnt |
| 51 |
rescue |
| 52 |
c['Unknown'] = c['Unknown'] ? c['Unknown'] + cnt : cnt |
| 53 |
end |
| 54 |
end |
| 55 |
c = c.to_a.sort {|a,b| a[0] <=> b[0]}
|
| 56 |
c |
| 57 |
end |
| 58 |
|
| 59 |
case ARGV[0] |
| 60 |
when 'autoconf' |
| 61 |
begin |
| 62 |
fh = open(SYSLOG, 'r') |
| 63 |
rescue |
| 64 |
puts 'no' |
| 65 |
exit 1 |
| 66 |
else |
| 67 |
puts 'yes' |
| 68 |
exit 0 |
| 69 |
end |
| 70 |
when 'config' |
| 71 |
puts 'graph_title SSHD invalid countries from ' + SYSLOG |
| 72 |
puts 'graph_args --base 1000 -l 0' |
| 73 |
puts 'graph_vlabel number of invalid access per country' |
| 74 |
puts 'graph_category security' |
| 75 |
puts 'graph_info This graph shows the countries of invalid access to sshd.' |
| 76 |
getInvalids.each {|k,v| puts k + '.label ' + k}
|
| 77 |
exit 0 |
| 78 |
else |
| 79 |
getInvalids.each {|k,v| puts k + '.value ' + v.to_s}
|
| 80 |
end |