root / plugins / ssh / sshd_invalid_countries_ruby @ aa3ee6dc
Historique | Voir | Annoter | Télécharger (2,13 ko)
| 1 | 7a37bfb1 | Lars Kruse | #!/usr/bin/env ruby |
|---|---|---|---|
| 2 | b0b39b01 | Lars Kruse | |
| 3 | =begin |
||
| 4 | |||
| 5 | aa3ee6dc | Lars Kruse | =head1 NAME |
| 6 | |||
| 7 | sshd_invalid_countries_ruby - Plugin to monitor the number of invalid access to sshd per country |
||
| 8 | |||
| 9 | |||
| 10 | =head1 APPLICABLE SYSTEMS |
||
| 11 | |||
| 12 | =over 4 |
||
| 13 | |||
| 14 | =item Require read permissions for SYSLOG |
||
| 15 | |||
| 16 | ref) ls -l /var/log/secure |
||
| 17 | |||
| 18 | =item Require geoip rubygem |
||
| 19 | |||
| 20 | ref) http://geoip.rubyforge.org/ |
||
| 21 | |||
| 22 | =item Require GeoIP-database for searching ip or host for the country |
||
| 23 | |||
| 24 | ref) http://www.maxmind.com/app/geoip_country |
||
| 25 | |||
| 26 | =back |
||
| 27 | |||
| 28 | |||
| 29 | =head1 AUTHORS |
||
| 30 | |||
| 31 | Copyright (C) 2010 Hirata Yoshiyuki |
||
| 32 | |||
| 33 | |||
| 34 | =head1 CONFIGURATION |
||
| 35 | |||
| 36 | [sshd_invalid_countries_ruby] |
||
| 37 | user root |
||
| 38 | group root |
||
| 39 | env.logfile /var/log/secure |
||
| 40 | env.geoip /home/you/GeoIP.dat |
||
| 41 | env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/ |
||
| 42 | |||
| 43 | |||
| 44 | =head1 MAGIC MARKERS |
||
| 45 | |||
| 46 | #%# family=auto |
||
| 47 | #%# capabilities=autoconf |
||
| 48 | b0b39b01 | Lars Kruse | |
| 49 | =end |
||
| 50 | |||
| 51 | aa3ee6dc | Lars Kruse | |
| 52 | df3e12eb | Hirata Yoshiyuki | require (ENV['loadpath'] || '') + 'geoip' |
| 53 | |||
| 54 | SYSLOG = ENV['syslog'] || '/var/log/secure' |
||
| 55 | GEOIP_DB = ENV['geoip'] || '/var/www/conf/bbs/GeoIP.dat' |
||
| 56 | AWK_CMD = 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' +
|
||
| 57 | b0b39b01 | Lars Kruse | '/sshd\[.*Failed password for (root|ROOT)/{print $11} ' +
|
| 58 | '/sshd\[.*Invalid user/{print $10}a\' < ' + SYSLOG
|
||
| 59 | df3e12eb | Hirata Yoshiyuki | |
| 60 | def getInvalids |
||
| 61 | b0b39b01 | Lars Kruse | c = {}
|
| 62 | df3e12eb | Hirata Yoshiyuki | wholeips = `#{AWK_CMD}`.split("\n")
|
| 63 | 809639ab | Lars Kruse | uniqueips = wholeips.each_with_object({}) do |key, hash|
|
| 64 | hash.include?(key) ? hash[key] += 1 : hash[key] = 1 |
||
| 65 | df3e12eb | Hirata Yoshiyuki | end |
| 66 | geoip = GeoIP.new(GEOIP_DB) |
||
| 67 | b0b39b01 | Lars Kruse | uniqueips.each do |ip, cnt| |
| 68 | df3e12eb | Hirata Yoshiyuki | begin |
| 69 | country = geoip.country(ip)[5] |
||
| 70 | c[country] = c[country] ? c[country] + cnt : cnt |
||
| 71 | 809639ab | Lars Kruse | rescue StandardError |
| 72 | df3e12eb | Hirata Yoshiyuki | c['Unknown'] = c['Unknown'] ? c['Unknown'] + cnt : cnt |
| 73 | end |
||
| 74 | end |
||
| 75 | 809639ab | Lars Kruse | c.to_a.sort { |a, b| a[0] <=> b[0] }
|
| 76 | df3e12eb | Hirata Yoshiyuki | end |
| 77 | |||
| 78 | case ARGV[0] |
||
| 79 | when 'autoconf' |
||
| 80 | begin |
||
| 81 | fh = open(SYSLOG, 'r') |
||
| 82 | 809639ab | Lars Kruse | rescue StandardError |
| 83 | df3e12eb | Hirata Yoshiyuki | puts 'no' |
| 84 | e4cd049b | Lars Kruse | exit 0 |
| 85 | df3e12eb | Hirata Yoshiyuki | else |
| 86 | puts 'yes' |
||
| 87 | exit 0 |
||
| 88 | end |
||
| 89 | when 'config' |
||
| 90 | puts 'graph_title SSHD invalid countries from ' + SYSLOG |
||
| 91 | puts 'graph_args --base 1000 -l 0' |
||
| 92 | puts 'graph_vlabel number of invalid access per country' |
||
| 93 | 3a6fdce8 | dipohl | puts 'graph_category security' |
| 94 | df3e12eb | Hirata Yoshiyuki | puts 'graph_info This graph shows the countries of invalid access to sshd.' |
| 95 | 809639ab | Lars Kruse | getInvalids.each { |k, _v| puts k + '.label ' + k }
|
| 96 | df3e12eb | Hirata Yoshiyuki | exit 0 |
| 97 | else |
||
| 98 | b0b39b01 | Lars Kruse | getInvalids.each { |k, v| puts k + '.value ' + v.to_s }
|
| 99 | df3e12eb | Hirata Yoshiyuki | end |