Forum » Operacijski sistemi » [Debian] monitor sshd auth.log
[Debian] monitor sshd auth.log
HotBurek ::
Pozdravljeni.
Za namen monitoringa sshd na strežniku sem spisal skripto. Sprva pogleda in izpiše obstoječe loge, potem pa v loop-u bere za novimi vnosi. Prebere vse vrstice znotraj istega dne.
V primeru napačnega gesla se lahko izvede ukaz "ip ban". Hkrati se IPji hranijo v iplist.txt file.
V safesource se vnese "varne IPje".
print screen
koda
Za namen monitoringa sshd na strežniku sem spisal skripto. Sprva pogleda in izpiše obstoječe loge, potem pa v loop-u bere za novimi vnosi. Prebere vse vrstice znotraj istega dne.
V primeru napačnega gesla se lahko izvede ukaz "ip ban". Hkrati se IPji hranijo v iplist.txt file.
V safesource se vnese "varne IPje".
print screen
authmonitormini
koda
#!/usr/bin/python3.4
import time;
import os;
import datetime;
import traceback;
import sys;
import subprocess;
import ipaddress;
import codecs;
# database path
pathdat = "~/authmonitormini";
# declarations
logpath = "/var/log/auth.log";
loopcount = 0;
loopcountlimit = 1000000;
linecount = 1;
movesecond = False;
safesource = ["1.1.1.1", "2.2.2.2", "3.3.3.3"];
iptablescmd = "/sbin/iptables -I INPUT -j DROP -p tcp --dport 22 -s ";
pathiplist = "/iplist.txt";
last = datetime.datetime.min;
clear = lambda: os.system("clear");
clear();
# header
print("# Monitor " + str(logpath));
print("# " + str(time.strftime("%Y-%m-%d")));
print("# " + str(time.strftime("%H:%M:%S")));
print("# safesource=" + str(safesource));
print("");
# start loop
while(loopcount < loopcountlimit):
try:
# check if log file
if os.path.exists(logpath):
# read all log file
logfile = open(str(logpath), "r");
for line in logfile:
line = str(line);
line = line.strip();
if line.find(":") > 0:
_month = line[:line.find(" ")];
_day = line[:line.find(":")];
_day = _day[_day.find(" ") + 1:_day.rfind(" ")];
_day = int(str(_day));
_timeh = line[:line.find(":")];
_timeh = _timeh[_timeh.rfind(" ") + 1:];
_timems = line[line.find(":") + 1:];
_timems = _timems[:_timems.find(" ")];
_timehms = str(_timeh) + ":" + str(_timems);
timelast = datetime.datetime.strptime(_timehms, "%H:%M:%S");
if last <= timelast:
movesecond =True;
last = timelast;
_printlineall = "";
_ip = "";
_debug = True;
_line1 = "\033[97m" + " | " + str(linecount) + " | " + str(_month) + " " + str(_day) + " " + str(timelast.strftime("%H:%M:%S")) + "\033[0m";
_line2 = "";
_line3 = "";
_searchtext1 = str("Failed password for invalid user");
_searchtext2 = str("Failed password for");
_searchtext3 = str("Did not receive identification string from");
_searchtext4 = str("Connection closed by");
_searchtext5 = str("Received disconnect from");
_searchtext6 = str("Disconnecting: Too many authentication failures for invalid user");
_searchtext7 = str("Accepted password for");
# Failed password for invalid user
if line.find(_searchtext1) > 0:
_line = line[line.find(_searchtext1) + len(_searchtext1):];
_line = str(_line).strip();
_user = _line[:_line.find(" ")];
_ip = _line[_line.find("from") + 4:_line.find("port")];
_ip = _ip.strip();
_validip = False;
try:
_ipAddress = ipaddress.ip_address(_ip);
_validip = True;
except:
_validip = False;
if _validip:
if _ip in safesource:
_line2 = "\033[93m" + " | warning invalid user " + str(_user) + " | " + str(_ip) + "\033[0m" + "\033[96m" + " | safesource" + "\033[0m";
else:
_line2 = "\033[93m" + " | warning invalid user " + str(_user) + " | " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
else:
_line2 = "\033[93m" + " | warning invalid user " + str(_user) + "\033[91m" + " | exception invalid ip " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
linecount = int(linecount) + 1;
time.sleep(0.400);
# Failed password for
elif line.find(_searchtext2) > 0:
_line = line[line.find(_searchtext2) + len(_searchtext2):];
_line = str(_line).strip();
_user =_line[:_line.find(" ")];
_ip = _line[_line.find("from") + 4:_line.find("port")];
_ip = _ip.strip();
_validip = False;
try:
_ipAddress = ipaddress.ip_address(_ip);
_validip = True;
except:
_validip = False;
if _validip:
execstring = str(iptablescmd) + str(_ip);
if _ip in safesource:
_line2 = "\033[91m" + " | faild password user " + str(_user) + " | " + str(_ip) + "\033[0m" + "\033[96m" + " | safesource" + "\033[0m";
_printlineall = str(_line1) + str(_line2);
elif _debug:
_line2 = "\033[91m" + " | faild password user " + str(_user) + " | " + str(_ip) + "\033[0m";
_line3 = "\033[92m" + " | debug" + "\033[0m" + "\033[94m" + " | " + str(execstring) + "\033[0m";
_printlineall = str(_line1) + str(_line2) + str(_line3);
else:
_line2 = "\033[91m" + " | faild password user " + str(_user) + " | " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
fileexists = False;
if os.path.exists(str(pathdat) + str(pathiplist)):
fileexists = True;
if not fileexists:
iplistfile = open(str(pathdat) + str(pathiplist), "w+");
iplistfile.write(str(_ip) + "\n");
iplistfile.close();
_line2 = "\033[91m" + " | faild password user " + str(_user) + " | " + str(_ip) + "\033[0m";
_line3 = "\033[92m" + " | exec" + "\033[0m" + "\033[94m" + " | " + str(execstring) + "\033[0m";
_printlineall = str(_line1) + str(_line2) + str(_line3);
# RUN IPTABLES COMMAND
os.system(execstring);
else:
newip = True;
iplistfile = open(str(pathdat) + str(pathiplist), "r");
for ipline in iplistfile:
if str(ipline).strip() == str(_ip):
newip = False;
break;
if newip:
iplistfile = open(str(pathdat) + str(pathiplist), "a+");
iplistfile.write(str(_ip) + "\n");
iplistfile.close();
_line2 = "\033[91m" + " | faild password user " + str(_user) + " | " + str(_ip) + "\033[0m";
_line3 = "\033[92m" + " | exec" + "\033[0m" + "\033[94m" + " | " + str(execstring) + "\033[0m";
_printlineall = str(_line1) + str(_line2) + str(_line3);
# RUN IPTABLES COMMAND
os.system(execstring);
else:
_line2 = "\033[91m" + " | faild password user " + str(_user) + "\033[91m" + " | exception invalid ip " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
linecount = int(linecount) + 1;
time.sleep(0.400);
# Did not receive identification string from
elif line.find(_searchtext3) > 0:
_ip = line[line.find(_searchtext3) + len(_searchtext3):];
_ip = _ip.strip();
_validip = False;
try:
_ipAddress = ipaddress.ip_address(_ip);
_validip = True;
except:
_validip = False;
if _validip:
if _ip in safesource:
_line2 = "\033[93m" + " | warning no id | " + str(_ip) + "\033[0m" + "\033[96m" + " | safesource" + "\033[0m";
else:
_line2 = "\033[93m" + " | warning no id | " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
else:
_line2 = "\033[93m" + " | warning no id " + "\033[0m" + "\033[91m" + " | exception invalid ip " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
linecount = int(linecount) + 1;
time.sleep(0.400);
# Connection closed by
elif line.find(_searchtext4) > 0:
_ip = line[line.find(_searchtext4) + len(_searchtext4):];
if _ip.find("[preauth]") > 0:
_ip = _ip[:_ip.find("[preauth]")];
_ip = _ip.strip();
_validip = False;
try:
_ipAddress = ipaddress.ip_address(_ip);
_validip = True;
except:
_validip = False;
if _validip:
if _ip in safesource:
_line2 = "\033[97m" + " | info connection closed | " + str(_ip) + "\033[0m" + "\033[96m" + " | safesource" + "\033[0m";
else:
_line2 = "\033[97m" + " | info connection closed | " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
else:
_line2 = "\033[97m" + " | info connection closed | " + "\033[0m" + "\033[91m" + " | exception invalid ip " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
linecount = int(linecount) + 1;
time.sleep(0.400);
# Received disconnect from
elif line.find(_searchtext5) > 0:
_ip = line[line.find(_searchtext5) + len(_searchtext5):];
if _ip.find(":") > 0:
_ip = _ip[:_ip.find(":")];
_ip = _ip.strip();
_validip = False;
try:
_ipAddress = ipaddress.ip_address(_ip);
_validip = True;
except:
_validip = False;
if _validip:
if _ip in safesource:
_line2 = "\033[97m" + " | info received disconnect | " + str(_ip) + "\033[0m" + "\033[96m" + " | safesource" + "\033[0m";
else:
_line2 = "\033[97m" + " | info received disconnect | " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
else:
_line2 = "\033[97m" + " | info received disconnect | " + "\033[0m" + "\033[91m" + " | exception invalid ip " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
linecount = int(linecount) + 1;
time.sleep(0.400);
# Disconnecting: Too many authentication failures for invalid user
elif line.find(_searchtext6) > 0:
_ip = line[line.find(_searchtext6) + len(_searchtext6):];
if _ip.find("from") > 0:
_ip = _ip[_ip.find("from") + len("from"):];
_ip = _ip.strip();
if _ip.find("port") > 0:
_ip = _ip[:_ip.find("port")];
_ip = _ip.strip();
_ip = _ip.strip();
_validip = False;
try:
_ipAddress = ipaddress.ip_address(_ip);
_validip = True;
except:
_validip = False;
if _validip:
execstring = str(iptablescmd) + str(_ip);
if _ip in safesource:
_line2 = "\033[91m" + " | to many auth fail | " + str(_ip) + "\033[0m" + "\033[96m" + " | safesource" + "\033[0m";
_printlineall = str(_line1) + str(_line2);
elif _debug:
_line2 = "\033[91m" + " | to many auth fail | " + str(_ip) + "\033[0m";
_line3 = "\033[92m" + " | debug" + "\033[0m" + "\033[94m" + " | " + str(execstring) + "\033[0m";
_printlineall = str(_line1) + str(_line2) + str(_line3);
else:
_line2 = "\033[91m" + " | to many auth fail | " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
fileexists = False;
if os.path.exists(str(pathdat) + str(pathiplist)):
fileexists = True;
if not fileexists:
iplistfile = open(str(pathdat) + str(pathiplist), "w+");
iplistfile.write(str(_ip) + "\n");
iplistfile.close();
_line2 = "\033[91m" + " | to many auth fail | " + str(_ip) + "\033[0m";
_line3 = "\033[92m" + " | exec" + "\033[0m" + "\033[94m" + " | " + str(execstring) + "\033[0m";
_printlineall = str(_line1) + str(_line2) + str(_line3);
# RUN IPTABLES COMMAND
os.system(execstring);
else:
newip = True;
iplistfile = open(str(pathdat) + str(pathiplist), "r");
for ipline in iplistfile:
if str(ipline).strip() == str(_ip):
newip = False;
break;
if newip:
iplistfile = open(str(pathdat) + str(pathiplist), "a+");
iplistfile.write(str(_ip) + "\n");
iplistfile.close();
_line2 = "\033[91m" + " | to many auth fail | " + str(_ip) + "\033[0m";
_line3 = "\033[92m" + " | exec" + "\033[0m" + "\033[94m" + " | " + str(execstring) + "\033[0m";
_printlineall = str(_line1) + str(_line2) + str(_line3);
# RUN IPTABLES COMMAND
os.system(execstring);
else:
_line2 = "\033[91m" + " | to many auth fail | " + "\033[0m" + "\033[91m" + " | exception invalid ip " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
linecount = int(linecount) + 1;
time.sleep(0.400);
# Accepted password for
elif line.find(_searchtext7) > 0:
_line = line[line.find(_searchtext7) + len(_searchtext7):];
_line = str(_line).strip();
_user = _line[:_line.find(" ")];
_ip = _line[_line.find("from") + 4:_line.find("port")];
_ip = _ip.strip();
_validip = False;
try:
_ipAddress = ipaddress.ip_address(_ip);
_validip = True;
except:
_validip = False;
if _validip:
if _ip in safesource:
_line2 = "\033[95m" + " | accepted user " + str(_user) + " | " + str(_ip) + "\033[0m" + "\033[96m" + " | safesource" + "\033[0m";
else:
_line2 = "\033[95m" + " | accepted user " + str(_user) + " | " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
else:
_line2 = "\033[95m" + " | accepted user " + str(_user) + "\033[91m" + " | exception invalid ip " + str(_ip) + "\033[0m";
_printlineall = str(_line1) + str(_line2);
linecount = int(linecount) + 1;
time.sleep(0.400);
# print
if len(_printlineall) > 0:
print(_printlineall);
else:
print("warning=No \":\" in line.");
print("skip=" + str(line.strip()));
time.sleep(2);
else:
print("warning=No log file at " + str(logpath));
print("");
loopcount = int(loopcountlimit);
time.sleep(10);
except Exception:
error = traceback.format_exc();
print("exc=" + str(error));
print("");
loopcount = int(loopcountlimit);
time.sleep(10);
time.sleep(1);
loopcount = int(loopcount) + 1;
# move last one second ahead
if movesecond:
last = last + datetime.timedelta(0,1);
movesecond = False;
print("");
print("# " + str(time.strftime("%Y-%m-%d")));
print("# " + str(time.strftime("%H:%M:%S")));
print("# End");
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Vredno ogleda ...
| Tema | Ogledi | Zadnje sporočilo | |
|---|---|---|---|
| Tema | Ogledi | Zadnje sporočilo | |
| » | program za pomoč pri tiskanju 200+pdf dokumentovOddelek: Pomoč in nasveti | 2296 (1348) | HotBurek |
| » | Fake traffic generatorOddelek: Omrežja in internet | 2267 (1463) | HotBurek |
| » | Pošljite nam vašo najboljšo kodoOddelek: Programiranje | 2185 (1430) | AndrejO |
| » | [python] project euler problemOddelek: Programiranje | 1289 (841) | Spura |
| » | linux logon ascsii art slikaOddelek: Operacijski sistemi | 1592 (1246) | CaqKa |