-
Notifications
You must be signed in to change notification settings - Fork 0
/
message-log-alerts.sh
118 lines (91 loc) · 2.14 KB
/
message-log-alerts.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/bin/bash
MSGLOG=/var/log/messages
TMPLOG=/tmp/tmp-message-log-last
EMAILMSG=/tmp/tmp-email-msg-messages.txt
TMPFILE=/tmp/tmp-last-alerts.txt
BLACKLISTFILE=/tmp/iptables/blacklist.zone
EXCEPTIONS="autoc_item.php"
SUBJECT="FFXIAH.com - Messages Log"
EMAILADDYS="scragg@gmail.com mike.scragg@gmail.com"
hinit() {
rm -f /tmp/hashmap.$1
touch /tmp/hashmap.$1
}
hput() {
echo "$2 $3" >> /tmp/hashmap.$1
}
hget() {
grep "^$2 " /tmp/hashmap.$1 | awk '{ print $2 };'
}
hinit ips
# Make sure files exist
touch $TMPLOG $EMAILMSG
# Clean email message file
echo -n '' > $EMAILMSG
# Check and validate tmptime
TMPTIME=$(head -n 1 $TMPLOG)
if [[ ! "$TMPTIME" =~ [0-9]+ ]] ; then
TMPTIME=0
fi
NEWEST=0
SEND=0
# Load blacklist file in hash to avoid dupes
while read line
do
hput ips $line 1
done < $BLACKLISTFILE
tail -n 100 $MSGLOG | egrep 'suhosin' > $TMPFILE
CYEAR=$(date --date now +%Y)
CMONTH="$(date --date now +%m | sed 's/^0//')"
while read line
do
if [[ -n $(echo $line | egrep "($EXCEPTIONS)") ]] ; then
continue;
fi
date=$(echo $line | cut -f1,2,3 -d' ')
year=$CYEAR
if [ $CMONTH -eq 1 ]; then
if [ "$(echo $date | egrep 'Dec')" != "" ]; then
year=$CYEAR-1
fi
fi
date=$(echo $date | sed "s/^\(.* .*\) \(.*\)/\1 $year \2/")
timestamp=$(date --date "$date" +%s)
echo $date
echo $timestamp
echo $TMPTIME
if [ $timestamp -gt $TMPTIME ] ; then
if [ $timestamp -gt $NEWEST ] ; then
NEWEST=$timestamp
fi
if [ "$(echo $line | egrep 'attacker')" != "" ] ; then
IP=$(echo $line | sed "s/.*attacker '\([0-9\.]*\)'.*/\1/")
# This means no IP found
if [ $line == $IP ] ; then
continue
fi
#echo $(hget ips $IP);
if [ "$(hget ips $IP)" != "1" ] ; then
echo $IP >> $BLACKLISTFILE
hput ips $IP 1
/sbin/iptables -A BLACKLIST -s $IP -j DROP
fi
fi
SEND=1
echo $line >> $EMAILMSG
fi
done < $TMPFILE
rm -f $TMPFILE
# Update the tmp timestamp
if [ $NEWEST -gt $TMPTIME ] ; then
echo $NEWEST > $TMPLOG
fi
# Send any new files
if [ "$SEND" -eq 1 ] ; then
for email in $EMAILADDYS
do
echo "Sending mail."
/bin/mail -s "$SUBJECT" "$email" < $EMAILMSG
done
fi
echo -n '' > $EMAILMSG