root / plugins / ssh / sshd_invalid_countries_ruby @ aa3ee6dc
Historique | Voir | Annoter | Télécharger (2,13 ko)
| 1 |
#!/usr/bin/env ruby |
|---|---|
| 2 |
|
| 3 |
=begin |
| 4 |
|
| 5 |
=head1 NAME |
| 6 |
|
| 7 |
sshd_invalid_countries_ruby - Plugin to monitor the number of invalid access to sshd per country |
| 8 |
|
| 9 |
|
| 10 |
=head1 APPLICABLE SYSTEMS |
| 11 |
|
| 12 |
=over 4 |
| 13 |
|
| 14 |
=item Require read permissions for SYSLOG |
| 15 |
|
| 16 |
ref) ls -l /var/log/secure |
| 17 |
|
| 18 |
=item Require geoip rubygem |
| 19 |
|
| 20 |
ref) http://geoip.rubyforge.org/ |
| 21 |
|
| 22 |
=item Require GeoIP-database for searching ip or host for the country |
| 23 |
|
| 24 |
ref) http://www.maxmind.com/app/geoip_country |
| 25 |
|
| 26 |
=back |
| 27 |
|
| 28 |
|
| 29 |
=head1 AUTHORS |
| 30 |
|
| 31 |
Copyright (C) 2010 Hirata Yoshiyuki |
| 32 |
|
| 33 |
|
| 34 |
=head1 CONFIGURATION |
| 35 |
|
| 36 |
[sshd_invalid_countries_ruby] |
| 37 |
user root |
| 38 |
group root |
| 39 |
env.logfile /var/log/secure |
| 40 |
env.geoip /home/you/GeoIP.dat |
| 41 |
env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/ |
| 42 |
|
| 43 |
|
| 44 |
=head1 MAGIC MARKERS |
| 45 |
|
| 46 |
#%# family=auto |
| 47 |
#%# capabilities=autoconf |
| 48 |
|
| 49 |
=end |
| 50 |
|
| 51 |
|
| 52 |
require (ENV['loadpath'] || '') + 'geoip' |
| 53 |
|
| 54 |
SYSLOG = ENV['syslog'] || '/var/log/secure' |
| 55 |
GEOIP_DB = ENV['geoip'] || '/var/www/conf/bbs/GeoIP.dat' |
| 56 |
AWK_CMD = 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' +
|
| 57 |
'/sshd\[.*Failed password for (root|ROOT)/{print $11} ' +
|
| 58 |
'/sshd\[.*Invalid user/{print $10}a\' < ' + SYSLOG
|
| 59 |
|
| 60 |
def getInvalids |
| 61 |
c = {}
|
| 62 |
wholeips = `#{AWK_CMD}`.split("\n")
|
| 63 |
uniqueips = wholeips.each_with_object({}) do |key, hash|
|
| 64 |
hash.include?(key) ? hash[key] += 1 : hash[key] = 1 |
| 65 |
end |
| 66 |
geoip = GeoIP.new(GEOIP_DB) |
| 67 |
uniqueips.each do |ip, cnt| |
| 68 |
begin |
| 69 |
country = geoip.country(ip)[5] |
| 70 |
c[country] = c[country] ? c[country] + cnt : cnt |
| 71 |
rescue StandardError |
| 72 |
c['Unknown'] = c['Unknown'] ? c['Unknown'] + cnt : cnt |
| 73 |
end |
| 74 |
end |
| 75 |
c.to_a.sort { |a, b| a[0] <=> b[0] }
|
| 76 |
end |
| 77 |
|
| 78 |
case ARGV[0] |
| 79 |
when 'autoconf' |
| 80 |
begin |
| 81 |
fh = open(SYSLOG, 'r') |
| 82 |
rescue StandardError |
| 83 |
puts 'no' |
| 84 |
exit 0 |
| 85 |
else |
| 86 |
puts 'yes' |
| 87 |
exit 0 |
| 88 |
end |
| 89 |
when 'config' |
| 90 |
puts 'graph_title SSHD invalid countries from ' + SYSLOG |
| 91 |
puts 'graph_args --base 1000 -l 0' |
| 92 |
puts 'graph_vlabel number of invalid access per country' |
| 93 |
puts 'graph_category security' |
| 94 |
puts 'graph_info This graph shows the countries of invalid access to sshd.' |
| 95 |
getInvalids.each { |k, _v| puts k + '.label ' + k }
|
| 96 |
exit 0 |
| 97 |
else |
| 98 |
getInvalids.each { |k, v| puts k + '.value ' + v.to_s }
|
| 99 |
end |