secure2scoundrels.pl

#!/usr/bin/perl
# -- config
my @FILES=qw(/var/log/auth.log.1.gz /var/log/auth.log);
my $regex=qr!^(\S+\s+\S+).+?sshd\[[0-9]+\]:.+?ailed password.+?from (\S+)!;
my $regex2=qr!message repeated (\d+) times: \[ Failed password for \S+ from (\S+)!;

# -- init
use strict;
use IO::Uncompress::Gunzip;
use NetAddr::IP;
use Net::Whois::Raw;
$Net::Whois::Raw::OMIT_MSG = 1;
$Net::Whois::Raw::CHECK_FAIL = 1;


use vars qw($whoisServer %whois_cache $whoisServer);
$whoisServer = 'whois.arin.net';
sub whois_cached($) {
  my $ip = $_[0];
  if (! $whois_cache{$ip}) {
    my ($w,$x);
    eval {$w = whois($ip,$whoisServer);};
    if ($w =~ m/inetnum:\s+(\d+.*$)/m) {
      $whois_cache{$ip} = $1;
      $x = NetAddr::IP->new($1);
      if ($x) {
        $whois_cache{$ip} = $x;
      }
    }
  }
  return $whois_cache{$ip};
}

# -- main
use vars qw(%iptally %sntally %sn2ips);
foreach my $file (@FILES) {
  my $fh;
  if($file=~m/\.gz$/){
    $fh=new IO::Uncompress::Gunzip $file;
    #open($fh,"/bin/zcat \"$file\" |");
  }
  else {
    open($fh,$file);
  }
  unless($fh){ warn "$file: $!\n"; next; }
  while(<$fh>) {
    if (m!$regex!) {
      $iptally{sprintf("%16s", $2)} += 1;
    }
    elsif (m!$regex2!) {
      $iptally{sprintf("%16s", $2)} += $1;
    }
  }
  close($fh);
}
foreach my $ip (keys %iptally) {
  my $sn = (&whois_cached($ip) or "$ip/32");
  $sntally{$sn} += $iptally{$ip};
  if (not exists($sn2ips{$sn})) { $sn2ips{$sn} = []; }
  push(@{$sn2ips{$sn}}, $ip);
}
foreach my $sn (sort keys %sntally) {
  my $v = $sntally{$sn};
  if ($v > 10) {
    #$n = gethostbyaddr(pack('C4',split('\.',$ip)),2);
    #printf("%s : %s password attempts : %s : %s\n",$ip,$v,$w,$n);
    my $iplist = join(', ', sort(@{$sn2ips{$sn}}));
    $iplist =~ s/  +/ /g;
    if (length($sn) < 21) {
      printf("%5d password attempts : %20s : %s\n", $v, $sn, $iplist);
    }
    else {
      printf("%5d password attempts : %35s : %s\n", $v, $sn, $iplist);
    }
  }
}