- Repository
- Munin (contrib)
- Last change
- 2020-10-04
- Graph Categories
- Family
- auto
- Capabilities
- Keywords
- Language
- Ruby
- Authors
sshd_invalid_countries_ruby
Name
sshd_invalid_countries_ruby - Plugin to monitor the number of invalid access to sshd per country
Applicable Systems
Require read permissions for SYSLOG
ref) ls -l /var/log/secure
Require geoip rubygem
ref) http://geoip.rubyforge.org/
Require GeoIP-database for searching ip or host for the country
ref) http://www.maxmind.com/app/geoip_country
Authors
Copyright (C) 2010 Hirata Yoshiyuki
Configuration
[sshd_invalid_countries_ruby]
user root
group root
env.logfile /var/log/secure
env.geoip /home/you/GeoIP.dat
env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/
Magic Markers
#%# family=auto
#%# capabilities=autoconf
#!/usr/bin/env ruby
=begin
=head1 NAME
sshd_invalid_countries_ruby - Plugin to monitor the number of invalid access to sshd per country
=head1 APPLICABLE SYSTEMS
=over 4
=item Require read permissions for SYSLOG
ref) ls -l /var/log/secure
=item Require geoip rubygem
ref) http://geoip.rubyforge.org/
=item Require GeoIP-database for searching ip or host for the country
ref) http://www.maxmind.com/app/geoip_country
=back
=head1 AUTHORS
Copyright (C) 2010 Hirata Yoshiyuki
=head1 CONFIGURATION
[sshd_invalid_countries_ruby]
user root
group root
env.logfile /var/log/secure
env.geoip /home/you/GeoIP.dat
env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/
=head1 MAGIC MARKERS
#%# family=auto
#%# capabilities=autoconf
=end
require (ENV['loadpath'] || '') + 'geoip'
SYSLOG = ENV['syslog'] || '/var/log/secure'
GEOIP_DB = ENV['geoip'] || '/var/www/conf/bbs/GeoIP.dat'
AWK_CMD = 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' +
'/sshd\[.*Failed password for (root|ROOT)/{print $11} ' +
'/sshd\[.*Invalid user/{print $10}a\' < ' + SYSLOG
def getInvalids
c = {}
wholeips = `#{AWK_CMD}`.split("\n")
uniqueips = wholeips.each_with_object({}) do |key, hash|
hash.include?(key) ? hash[key] += 1 : hash[key] = 1
end
geoip = GeoIP.new(GEOIP_DB)
uniqueips.each do |ip, cnt|
begin
country = geoip.country(ip)[5]
c[country] = c[country] ? c[country] + cnt : cnt
rescue StandardError
c['Unknown'] = c['Unknown'] ? c['Unknown'] + cnt : cnt
end
end
c.to_a.sort { |a, b| a[0] <=> b[0] }
end
case ARGV[0]
when 'autoconf'
begin
fh = open(SYSLOG, 'r')
rescue StandardError
puts 'no'
exit 0
else
puts 'yes'
exit 0
end
when 'config'
puts 'graph_title SSHD invalid countries from ' + SYSLOG
puts 'graph_args --base 1000 -l 0'
puts 'graph_vlabel number of invalid access per country'
puts 'graph_category security'
puts 'graph_info This graph shows the countries of invalid access to sshd.'
getInvalids.each { |k, _v| puts k + '.label ' + k }
exit 0
else
getInvalids.each { |k, v| puts k + '.value ' + v.to_s }
end