Intruder reporting tool (for ssh remote login)

Posted 2020-10-10

#!/bin/bash

#Filename:intruder_detect.sh

#Description: Intruder reporting tool withauth.log or secure input(ssh登录的日志/var/log/auth.log 如果没有这个文件系统登录日志则放在 /var/log/secure)

AUTHLOG=/var/log/auth.log

 

if [[ -n $1 ]];

then

  AUTHLOG=$1

  echo Using Log file : $AUTHLOG

fi

 

LOG=/tmp/valid.$$.log

grep -v "invalid"$AUTHLOG > $LOG

users=$(grep "Failedpassword" $LOG | awk ‘{ print $(NF-5) }‘ | sort | uniq)

 

printf"%-5s|%-10s|%-10s|%-13s|%-33s|%s\\n" "Sr#" "User""Attempts" "IP address" "Host_Mapping" "Timerange"

 

ucount=0;

 

ip_list="$(egrep -o"[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $LOG | sort | uniq)"

 

for ip in $ip_list;

do

  grep $ip $LOG > /tmp/temp.$$.log

 

for user in $users;

do

  grep $user /tmp/temp.$$.log> /tmp/$$.log

  cut -c-16 /tmp/$$.log > $$.time

  tstart=$(head -1 $$.time);

  start=$(date -d "$tstart""+%s");

 

  tend=$(tail -1 $$.time);

  end=$(date -d "$tend""+%s")

 

  limit=$(( $end - $start ))

 

  if [ $limit -gt 120 ];

  then

    let ucount++;

 

    IP=$(egrep -o"[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" /tmp/$$.log | head -1 );

 

  TIME_RANGE="$tstart-->$tend"

 

  ATTEMPTS=$(cat /tmp/$$.log|wc -l);

 

  HOST=$(host $IP | awk ‘{ print $NF }‘ )

 

 printf"%-5s|%-10s|%-10s|%-10s|%-33s|%-s\\n" "$ucount""$user" "$ATTEMPTS" "$IP" "$HOST""$TIME_RANGE";

 fi

 

done

 

done

 

rm /tmp/valid.$$.log/tmp/$$.log $$.time /tmp/temp.$$.log 2> /dev/null