Révision 63535d04
Initial version
| plugins/other/sshd_invalid_countries | ||
|---|---|---|
| 1 |
#!/usr/bin/php |
|
| 2 |
<?php |
|
| 3 |
# Plugin to monitor the number of invalid access to sshd per country |
|
| 4 |
# |
|
| 5 |
# Require read permitions for SYSLOG |
|
| 6 |
# ref) ls -l /var/log/secure |
|
| 7 |
# Require PEAR library Net_GeoIP |
|
| 8 |
# ref) http://pear.php.net/package/Net_GeoIP/redirected |
|
| 9 |
# Require GeoIP-database to find out the geolocation from ip or host |
|
| 10 |
# ref) http://www.maxmind.com/app/geoip_country |
|
| 11 |
# |
|
| 12 |
# Parameters: |
|
| 13 |
# config (required) |
|
| 14 |
# autoconf (optional - used by munin-config) |
|
| 15 |
# |
|
| 16 |
# $Log$ |
|
| 17 |
# Revision 1.0 2010/12/23 23:55:01 hirata yoshiyuki |
|
| 18 |
# released. |
|
| 19 |
# |
|
| 20 |
# Magick markers (optional): |
|
| 21 |
#%# family=auto |
|
| 22 |
#%# capabilities=autoconf |
|
| 23 |
# |
|
| 24 |
# config example for /etc/munin/plugin-conf.d/munin-node |
|
| 25 |
#[sshd_invalid_countries] |
|
| 26 |
#user root |
|
| 27 |
#group root |
|
| 28 |
#env.logfile /var/log/secure |
|
| 29 |
#env.geoip /home/you/GeoIP.dat |
|
| 30 |
#env.peardir /usr/share/pear/ |
|
| 31 |
|
|
| 32 |
require (isset($_SERVER['peardir']) && $_SERVER['peardir'] != '' ? $_SERVER['peardir'] : '') . 'Net/GeoIP.php'; |
|
| 33 |
|
|
| 34 |
define('SYSLOG', isset($_SERVER['syslog']) && $_SERVER['syslog'] != '' ? $_SERVER['syslog'] : '/var/log/secure');
|
|
| 35 |
define('GEOIP_DB', isset($_SERVER['geoip']) && $_SERVER['geoip'] != '' ? $_SERVER['geoip'] : 'GeoIP.dat');
|
|
| 36 |
define('AWK_CMD', 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' .
|
|
| 37 |
'/sshd\[.*Failed password for (root|ROOT)/{print $11} ' .
|
|
| 38 |
'/sshd\[.*Invalid user/{print $10}a\' < ' . SYSLOG);
|
|
| 39 |
|
|
| 40 |
if (isset($argv[1]) && $argv[1] == 'autoconf') {
|
|
| 41 |
$fh = @fopen(SYSLOG, 'r'); |
|
| 42 |
if ($fh) {
|
|
| 43 |
echo "yes\n"; |
|
| 44 |
fclose($fh); |
|
| 45 |
exit(0); |
|
| 46 |
} else {
|
|
| 47 |
echo "no\n"; |
|
| 48 |
exit(1); |
|
| 49 |
} |
|
| 50 |
} |
|
| 51 |
if (isset($argv[1]) && $argv[1] == 'config') {
|
|
| 52 |
echo 'graph_title SSHD invalid countries from ' . SYSLOG . "\n"; |
|
| 53 |
echo 'graph_args --base 1000 -l 0' . "\n"; |
|
| 54 |
echo 'graph_vlabel number of invalid access per country' . "\n"; |
|
| 55 |
echo 'graph_category system' . "\n"; |
|
| 56 |
echo 'graph_info This graph shows the countries of invalid access to sshd.' . "\n"; |
|
| 57 |
foreach (get_sshd_invalid_countries() as $country => $cnt) {
|
|
| 58 |
echo $country . '.label ' . $country . "\n"; |
|
| 59 |
} |
|
| 60 |
exit(0); |
|
| 61 |
} |
|
| 62 |
|
|
| 63 |
foreach (get_sshd_invalid_countries() as $country => $cnt) {
|
|
| 64 |
echo $country . '.value ' . $cnt . "\n"; |
|
| 65 |
} |
|
| 66 |
|
|
| 67 |
function get_sshd_invalid_countries() {
|
|
| 68 |
$countries = array(); |
|
| 69 |
exec(AWK_CMD, $wholeips, $ret); |
|
| 70 |
|
|
| 71 |
if ($ret != 0) return $countries; |
|
| 72 |
|
|
| 73 |
$uniqueips = array_count_values($wholeips); |
|
| 74 |
$GeoIP = Net_GeoIP::getInstance(GEOIP_DB); |
|
| 75 |
foreach ($uniqueips as $ip => $cnt) {
|
|
| 76 |
try {
|
|
| 77 |
$country = $GeoIP->lookupCountryName($ip); |
|
| 78 |
$countries[$country] = isset($countries[$country]) ? $countries[$country] + $cnt : $cnt; |
|
| 79 |
} catch (Exception $e) {
|
|
| 80 |
$countries['Unknown'] = isset($countries['Unknown']) ? $countries['Unknown'] + $cnt : $cnt; |
|
| 81 |
} |
|
| 82 |
} |
|
| 83 |
ksort($countries); |
|
| 84 |
|
|
| 85 |
return $countries; |
|
| 86 |
} |
|
Formats disponibles : Unified diff