Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- # -- config
- my @FILES=qw(/var/log/auth.log.1.gz /var/log/auth.log);
- my $regex=qr!^(\S+\s+\S+).+?sshd\[[0-9]+\]:.+?ailed password.+?from (\S+)!;
- my $regex2=qr!message repeated (\d+) times: \[ Failed password for \S+ from (\S+)!;
- # -- init
- use strict;
- use IO::Uncompress::Gunzip;
- use NetAddr::IP;
- use Net::Whois::Raw;
- $Net::Whois::Raw::OMIT_MSG = 1;
- $Net::Whois::Raw::CHECK_FAIL = 1;
- use vars qw($whoisServer %whois_cache $whoisServer);
- $whoisServer = 'whois.arin.net';
- sub whois_cached($) {
- my $ip = $_[0];
- if (! $whois_cache{$ip}) {
- my ($w,$x);
- eval {$w = whois($ip,$whoisServer);};
- if ($w =~ m/inetnum:\s+(\d+.*$)/m) {
- $whois_cache{$ip} = $1;
- $x = NetAddr::IP->new($1);
- if ($x) {
- $whois_cache{$ip} = $x;
- }
- }
- }
- return $whois_cache{$ip};
- }
- # -- main
- use vars qw(%iptally %sntally %sn2ips);
- foreach my $file (@FILES) {
- my $fh;
- if($file=~m/\.gz$/){
- $fh=new IO::Uncompress::Gunzip $file;
- #open($fh,"/bin/zcat \"$file\" |");
- }
- else {
- open($fh,$file);
- }
- unless($fh){ warn "$file: $!\n"; next; }
- while(<$fh>) {
- if (m!$regex!) {
- $iptally{sprintf("%16s", $2)} += 1;
- }
- elsif (m!$regex2!) {
- $iptally{sprintf("%16s", $2)} += $1;
- }
- }
- close($fh);
- }
- foreach my $ip (keys %iptally) {
- my $sn = (&whois_cached($ip) or "$ip/32");
- $sntally{$sn} += $iptally{$ip};
- if (not exists($sn2ips{$sn})) { $sn2ips{$sn} = []; }
- push(@{$sn2ips{$sn}}, $ip);
- }
- foreach my $sn (sort keys %sntally) {
- my $v = $sntally{$sn};
- if ($v > 10) {
- #$n = gethostbyaddr(pack('C4',split('\.',$ip)),2);
- #printf("%s : %s password attempts : %s : %s\n",$ip,$v,$w,$n);
- my $iplist = join(', ', sort(@{$sn2ips{$sn}}));
- $iplist =~ s/ +/ /g;
- if (length($sn) < 21) {
- printf("%5d password attempts : %20s : %s\n", $v, $sn, $iplist);
- }
- else {
- printf("%5d password attempts : %35s : %s\n", $v, $sn, $iplist);
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement