root / plugins / ssh / sshd_invalid_countries_ruby @ b0b39b01
Historique | Voir | Annoter | Télécharger (2,14 ko)
| 1 | 7a37bfb1 | Lars Kruse | #!/usr/bin/env ruby |
|---|---|---|---|
| 2 | b0b39b01 | Lars Kruse | |
| 3 | =begin |
||
| 4 | |||
| 5 | Plugin to monitor the number of invalid access to sshd per country |
||
| 6 | |||
| 7 | Require read permissions for SYSLOG |
||
| 8 | ref) ls -l /var/log/secure |
||
| 9 | Require geoip rubygem |
||
| 10 | ref) http://geoip.rubyforge.org/ |
||
| 11 | Require GeoIP-database for searching ip or host for the country |
||
| 12 | ref) http://www.maxmind.com/app/geoip_country |
||
| 13 | |||
| 14 | Parameters: |
||
| 15 | config (required) |
||
| 16 | autoconf (optional - used by munin-config) |
||
| 17 | |||
| 18 | $Log$ |
||
| 19 | Revision 1.0 2010/12/25 11:56:12 hirata yoshiyuki |
||
| 20 | released. |
||
| 21 | |||
| 22 | Magick markers (optional): |
||
| 23 | df3e12eb | Hirata Yoshiyuki | #%# family=auto |
| 24 | #%# capabilities=autoconf |
||
| 25 | b0b39b01 | Lars Kruse | |
| 26 | config example for /etc/munin/plugin-conf.d/munin-node |
||
| 27 | [sshd_invalid_countries_ruby] |
||
| 28 | user root |
||
| 29 | group root |
||
| 30 | env.logfile /var/log/secure |
||
| 31 | env.geoip /home/you/GeoIP.dat |
||
| 32 | env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/ |
||
| 33 | |||
| 34 | =end |
||
| 35 | |||
| 36 | df3e12eb | Hirata Yoshiyuki | |
| 37 | require (ENV['loadpath'] || '') + 'geoip' |
||
| 38 | |||
| 39 | SYSLOG = ENV['syslog'] || '/var/log/secure' |
||
| 40 | GEOIP_DB = ENV['geoip'] || '/var/www/conf/bbs/GeoIP.dat' |
||
| 41 | AWK_CMD = 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' +
|
||
| 42 | b0b39b01 | Lars Kruse | '/sshd\[.*Failed password for (root|ROOT)/{print $11} ' +
|
| 43 | '/sshd\[.*Invalid user/{print $10}a\' < ' + SYSLOG
|
||
| 44 | df3e12eb | Hirata Yoshiyuki | |
| 45 | def getInvalids |
||
| 46 | b0b39b01 | Lars Kruse | c = {}
|
| 47 | df3e12eb | Hirata Yoshiyuki | wholeips = `#{AWK_CMD}`.split("\n")
|
| 48 | uniqueips = wholeips.inject({}) do |hash, key|
|
||
| 49 | hash.include?(key) ? hash[key] += 1 : hash[key] = 1; |
||
| 50 | hash |
||
| 51 | end |
||
| 52 | geoip = GeoIP.new(GEOIP_DB) |
||
| 53 | b0b39b01 | Lars Kruse | uniqueips.each do |ip, cnt| |
| 54 | df3e12eb | Hirata Yoshiyuki | begin |
| 55 | country = geoip.country(ip)[5] |
||
| 56 | c[country] = c[country] ? c[country] + cnt : cnt |
||
| 57 | rescue |
||
| 58 | c['Unknown'] = c['Unknown'] ? c['Unknown'] + cnt : cnt |
||
| 59 | end |
||
| 60 | end |
||
| 61 | b0b39b01 | Lars Kruse | c = c.to_a.sort { |a, b| a[0] <=> b[0] }
|
| 62 | df3e12eb | Hirata Yoshiyuki | c |
| 63 | end |
||
| 64 | |||
| 65 | case ARGV[0] |
||
| 66 | when 'autoconf' |
||
| 67 | begin |
||
| 68 | fh = open(SYSLOG, 'r') |
||
| 69 | rescue |
||
| 70 | puts 'no' |
||
| 71 | e4cd049b | Lars Kruse | exit 0 |
| 72 | df3e12eb | Hirata Yoshiyuki | else |
| 73 | puts 'yes' |
||
| 74 | exit 0 |
||
| 75 | end |
||
| 76 | when 'config' |
||
| 77 | puts 'graph_title SSHD invalid countries from ' + SYSLOG |
||
| 78 | puts 'graph_args --base 1000 -l 0' |
||
| 79 | puts 'graph_vlabel number of invalid access per country' |
||
| 80 | 3a6fdce8 | dipohl | puts 'graph_category security' |
| 81 | df3e12eb | Hirata Yoshiyuki | puts 'graph_info This graph shows the countries of invalid access to sshd.' |
| 82 | b0b39b01 | Lars Kruse | getInvalids.each { |k, v| puts k + '.label ' + k }
|
| 83 | df3e12eb | Hirata Yoshiyuki | exit 0 |
| 84 | else |
||
| 85 | b0b39b01 | Lars Kruse | getInvalids.each { |k, v| puts k + '.value ' + v.to_s }
|
| 86 | df3e12eb | Hirata Yoshiyuki | end |