root / plugins / ssh / sshd_invalid_countries_ruby @ b0b39b01
Historique | Voir | Annoter | Télécharger (2,14 ko)
| 1 |
#!/usr/bin/env ruby |
|---|---|
| 2 |
|
| 3 |
=begin |
| 4 |
|
| 5 |
Plugin to monitor the number of invalid access to sshd per country |
| 6 |
|
| 7 |
Require read permissions for SYSLOG |
| 8 |
ref) ls -l /var/log/secure |
| 9 |
Require geoip rubygem |
| 10 |
ref) http://geoip.rubyforge.org/ |
| 11 |
Require GeoIP-database for searching ip or host for the country |
| 12 |
ref) http://www.maxmind.com/app/geoip_country |
| 13 |
|
| 14 |
Parameters: |
| 15 |
config (required) |
| 16 |
autoconf (optional - used by munin-config) |
| 17 |
|
| 18 |
$Log$ |
| 19 |
Revision 1.0 2010/12/25 11:56:12 hirata yoshiyuki |
| 20 |
released. |
| 21 |
|
| 22 |
Magick markers (optional): |
| 23 |
#%# family=auto |
| 24 |
#%# capabilities=autoconf |
| 25 |
|
| 26 |
config example for /etc/munin/plugin-conf.d/munin-node |
| 27 |
[sshd_invalid_countries_ruby] |
| 28 |
user root |
| 29 |
group root |
| 30 |
env.logfile /var/log/secure |
| 31 |
env.geoip /home/you/GeoIP.dat |
| 32 |
env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/ |
| 33 |
|
| 34 |
=end |
| 35 |
|
| 36 |
|
| 37 |
require (ENV['loadpath'] || '') + 'geoip' |
| 38 |
|
| 39 |
SYSLOG = ENV['syslog'] || '/var/log/secure' |
| 40 |
GEOIP_DB = ENV['geoip'] || '/var/www/conf/bbs/GeoIP.dat' |
| 41 |
AWK_CMD = 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' +
|
| 42 |
'/sshd\[.*Failed password for (root|ROOT)/{print $11} ' +
|
| 43 |
'/sshd\[.*Invalid user/{print $10}a\' < ' + SYSLOG
|
| 44 |
|
| 45 |
def getInvalids |
| 46 |
c = {}
|
| 47 |
wholeips = `#{AWK_CMD}`.split("\n")
|
| 48 |
uniqueips = wholeips.inject({}) do |hash, key|
|
| 49 |
hash.include?(key) ? hash[key] += 1 : hash[key] = 1; |
| 50 |
hash |
| 51 |
end |
| 52 |
geoip = GeoIP.new(GEOIP_DB) |
| 53 |
uniqueips.each do |ip, cnt| |
| 54 |
begin |
| 55 |
country = geoip.country(ip)[5] |
| 56 |
c[country] = c[country] ? c[country] + cnt : cnt |
| 57 |
rescue |
| 58 |
c['Unknown'] = c['Unknown'] ? c['Unknown'] + cnt : cnt |
| 59 |
end |
| 60 |
end |
| 61 |
c = c.to_a.sort { |a, b| a[0] <=> b[0] }
|
| 62 |
c |
| 63 |
end |
| 64 |
|
| 65 |
case ARGV[0] |
| 66 |
when 'autoconf' |
| 67 |
begin |
| 68 |
fh = open(SYSLOG, 'r') |
| 69 |
rescue |
| 70 |
puts 'no' |
| 71 |
exit 0 |
| 72 |
else |
| 73 |
puts 'yes' |
| 74 |
exit 0 |
| 75 |
end |
| 76 |
when 'config' |
| 77 |
puts 'graph_title SSHD invalid countries from ' + SYSLOG |
| 78 |
puts 'graph_args --base 1000 -l 0' |
| 79 |
puts 'graph_vlabel number of invalid access per country' |
| 80 |
puts 'graph_category security' |
| 81 |
puts 'graph_info This graph shows the countries of invalid access to sshd.' |
| 82 |
getInvalids.each { |k, v| puts k + '.label ' + k }
|
| 83 |
exit 0 |
| 84 |
else |
| 85 |
getInvalids.each { |k, v| puts k + '.value ' + v.to_s }
|
| 86 |
end |