API tools faq
paste
Advertisement
Guest User

sshcheck.php

a guest
Aug 9th, 2012
608
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.06 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. // the threshold for connections from a remote IP to be considered an attack
  4. $incomingThreshold = 10;
  5.  
  6. // send an email report?
  7. $sendEmail = TRUE;
  8.  
  9. // where to send the email report to
  10. $emailAddress = 'email@ipxcore.com';
  11.  
  12. // email subject
  13. $emailSubject = 'sshcheck.php report from ' . php_uname('n');
  14.  
  15. // email's From address
  16. $emailFrom = 'email@ipxcore.com';
  17.  
  18. // do you want the system to add iptables rules automatically?
  19. $addIPTablesRules = TRUE;
  20.  
  21. // prefix for iptables. should not need to change
  22. $iptablesPrefix = "/sbin/";
  23.  
  24. //==================================================
  25.  
  26. exec("netstat -n | grep \":22 \"", $netstatArray);
  27.  
  28. if (!empty($netstatArray)) {
  29. foreach ($netstatArray as $netstatData) {
  30. $netstatDataSplit[] = preg_split('/\s+/', $netstatData);
  31. }
  32.  
  33. } else {
  34. die("No data was collected from netstat!");
  35. }
  36.  
  37. foreach ($netstatDataSplit as $dataKey => $dataRow) {
  38.  
  39. if (substr_count($dataRow[4], ":") == 1 ) {
  40.  
  41. $onlyRemoteIP = substr($dataRow[4],0,strpos($dataRow[4],":"));
  42. $remoteIP[$onlyRemoteIP]++;
  43. $remoteIPtoLocalIP[$onlyRemoteIP][] = $dataRow[3];
  44. }
  45. }
  46.  
  47.  
  48. foreach ($remoteIP as $addressToCheck => $addressToCheckCounter) {
  49.  
  50. if ($addressToCheckCounter > $incomingThreshold) {
  51.  
  52. exec($iptablesPrefix . "iptables -n --list FORWARD | grep $addressToCheck", $inIPTables);
  53.  
  54. if (empty($inIPTables)) {
  55.  
  56. if ($sendEmail == TRUE) {
  57. $reportData = "Hello, this is sshcheck.php running on " . php_uname('n') . "\n";
  58. $reportData .= "\n";
  59. $reportData .= "Current time: " . date(DATE_RFC822) . "\n";
  60. $reportData .= "\n";
  61. if($addIPTablesRules == TRUE) {
  62. $reportData .= "Adding iptables DROP rule. Remove it with:\n";
  63. $reportData .= "iptables -D FORWARD -s $addressToCheck -j DROP\n";
  64. $reportData .= "\n";
  65. }
  66. $reportData .= "IP " . $addressToCheck . " is involved in a brute force attack against the following IPs:\n";
  67. $reportData .= "\n";
  68. $reportData .= "Count: " . count($remoteIPtoLocalIP[$addressToCheck]) . "\n";
  69.  
  70. foreach($remoteIPtoLocalIP[$addressToCheck] as $targetedIP) {
  71. $reportData .= $targetedIP . "\n";
  72. }
  73. $reportData = wordwrap($reportData, 70);
  74.  
  75. mail($emailAddress, $emailSubject, $reportData, 'From: ' . $emailFrom);
  76.  
  77. }
  78.  
  79. if($addIPTablesRules == TRUE) {
  80. system($iptablesPrefix . "iptables -I FORWARD -s $addressToCheck -j DROP");
  81. }
  82.  
  83. unset($reportData);
  84. }
  85.  
  86.  
  87. unset($inIPTables);
  88.  
  89. }
  90. }
  91.  
  92. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!