Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // the threshold for connections from a remote IP to be considered an attack
- $incomingThreshold = 10;
- // send an email report?
- $sendEmail = TRUE;
- // where to send the email report to
- $emailAddress = 'email@ipxcore.com';
- // email subject
- $emailSubject = 'sshcheck.php report from ' . php_uname('n');
- // email's From address
- $emailFrom = 'email@ipxcore.com';
- // do you want the system to add iptables rules automatically?
- $addIPTablesRules = TRUE;
- // prefix for iptables. should not need to change
- $iptablesPrefix = "/sbin/";
- //==================================================
- exec("netstat -n | grep \":22 \"", $netstatArray);
- if (!empty($netstatArray)) {
- foreach ($netstatArray as $netstatData) {
- $netstatDataSplit[] = preg_split('/\s+/', $netstatData);
- }
- } else {
- die("No data was collected from netstat!");
- }
- foreach ($netstatDataSplit as $dataKey => $dataRow) {
- if (substr_count($dataRow[4], ":") == 1 ) {
- $onlyRemoteIP = substr($dataRow[4],0,strpos($dataRow[4],":"));
- $remoteIP[$onlyRemoteIP]++;
- $remoteIPtoLocalIP[$onlyRemoteIP][] = $dataRow[3];
- }
- }
- foreach ($remoteIP as $addressToCheck => $addressToCheckCounter) {
- if ($addressToCheckCounter > $incomingThreshold) {
- exec($iptablesPrefix . "iptables -n --list FORWARD | grep $addressToCheck", $inIPTables);
- if (empty($inIPTables)) {
- if ($sendEmail == TRUE) {
- $reportData = "Hello, this is sshcheck.php running on " . php_uname('n') . "\n";
- $reportData .= "\n";
- $reportData .= "Current time: " . date(DATE_RFC822) . "\n";
- $reportData .= "\n";
- if($addIPTablesRules == TRUE) {
- $reportData .= "Adding iptables DROP rule. Remove it with:\n";
- $reportData .= "iptables -D FORWARD -s $addressToCheck -j DROP\n";
- $reportData .= "\n";
- }
- $reportData .= "IP " . $addressToCheck . " is involved in a brute force attack against the following IPs:\n";
- $reportData .= "\n";
- $reportData .= "Count: " . count($remoteIPtoLocalIP[$addressToCheck]) . "\n";
- foreach($remoteIPtoLocalIP[$addressToCheck] as $targetedIP) {
- $reportData .= $targetedIP . "\n";
- }
- $reportData = wordwrap($reportData, 70);
- mail($emailAddress, $emailSubject, $reportData, 'From: ' . $emailFrom);
- }
- if($addIPTablesRules == TRUE) {
- system($iptablesPrefix . "iptables -I FORWARD -s $addressToCheck -j DROP");
- }
- unset($reportData);
- }
- unset($inIPTables);
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement