2012-09-15 16:32:20 +02:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
2016-11-13 19:25:31 +01:00
|
|
|
# Plugin to monitor auth.log or journald for sshd server events.
|
2012-09-15 16:32:20 +02:00
|
|
|
#
|
2016-11-13 19:25:31 +01:00
|
|
|
# Require read permitions for $LOG or journald
|
2012-09-15 16:32:20 +02:00
|
|
|
# (set in /etc/munin/plugin-conf.d/munin-node on debian)
|
|
|
|
#
|
|
|
|
# $Log$
|
2016-11-13 19:25:31 +01:00
|
|
|
# Revision 2.0 2016/11/11 15:42:00 Thomas Riccardi
|
2012-09-15 16:32:20 +02:00
|
|
|
# Revision 1.2 2010/03/19 15:03:00 pmoranga
|
|
|
|
# Revision 1.1 2009/04/26 23:28:00 ckujau
|
|
|
|
# Revision 1.0 2009/04/22 22:00:00 zlati
|
|
|
|
# Initial revision
|
|
|
|
#
|
|
|
|
# Parameters:
|
|
|
|
#
|
|
|
|
# config (required)
|
|
|
|
# autoconf (optional - used by munin-config)
|
|
|
|
#
|
|
|
|
# Magick markers (optional):
|
|
|
|
#%# family=auto
|
|
|
|
#%# capabilities=autoconf
|
|
|
|
|
|
|
|
# config example for /etc/munin/plugin-conf.d/munin-node
|
|
|
|
#[sshd_log]
|
|
|
|
#user root
|
|
|
|
#group root
|
|
|
|
#env.logfile /var/log/messages
|
|
|
|
#env.category users
|
|
|
|
#
|
2016-11-13 19:25:31 +01:00
|
|
|
# config example with journald
|
|
|
|
#[sshd_log]
|
|
|
|
#group systemd-journal
|
|
|
|
#env.logfile journald
|
|
|
|
#
|
|
|
|
# config example with journald on the sshd.service unit only
|
|
|
|
#[sshd_log]
|
|
|
|
#group systemd-journal
|
|
|
|
#env.logfile journald
|
|
|
|
#env.journalctlarg --unit=sshd.service
|
|
|
|
#
|
2012-09-15 16:32:20 +02:00
|
|
|
|
|
|
|
LOG=${logfile:-/var/log/secure}
|
2016-11-13 19:25:31 +01:00
|
|
|
JOURNALCTL_ARG=${journalctlarg:-_COMM=sshd}
|
2012-09-15 16:32:20 +02:00
|
|
|
|
|
|
|
|
|
|
|
if [ "$1" = "autoconf" ]; then
|
2016-11-13 19:25:31 +01:00
|
|
|
if [ "$LOG" = "journald" ]; then
|
|
|
|
if journalctl --no-pager --quiet --lines=1 "$JOURNALCTL_ARG" | read -r DUMMY; then
|
|
|
|
echo yes
|
|
|
|
exit 0
|
|
|
|
else
|
|
|
|
echo no
|
|
|
|
exit 1
|
|
|
|
fi
|
2012-09-15 16:32:20 +02:00
|
|
|
else
|
2016-11-13 19:25:31 +01:00
|
|
|
if [ -r "$LOG" ]; then
|
|
|
|
echo yes
|
|
|
|
exit 0
|
|
|
|
else
|
|
|
|
echo no
|
|
|
|
exit 1
|
|
|
|
fi
|
2012-09-15 16:32:20 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$1" = "config" ]; then
|
|
|
|
|
2016-11-13 19:25:31 +01:00
|
|
|
if [ "$LOG" = "journald" ]; then
|
|
|
|
TYPE=ABSOLUTE
|
|
|
|
else
|
|
|
|
TYPE=DERIVE
|
|
|
|
fi
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'graph_title SSHD login stats from' $LOG
|
|
|
|
echo 'graph_args --base 1000 -l 0'
|
|
|
|
echo 'graph_vlabel logins'
|
2017-02-24 01:35:47 +01:00
|
|
|
echo 'graph_category' security
|
2012-09-15 16:32:20 +02:00
|
|
|
|
|
|
|
echo 'LogPass.label Successful password logins'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'LogPass.min 0'
|
|
|
|
echo 'LogPass.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'LogPassPAM.label Successful login via PAM'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'LogPassPAM.min 0'
|
|
|
|
echo 'LogPassPAM.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'LogKey.label Successful PublicKey logins'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'LogKey.min 0'
|
|
|
|
echo 'LogKey.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'NoID.label No identification from user'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'NoID.min 0'
|
|
|
|
echo 'NoID.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'rootAttempt.label Root login attempts'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'rootAttempt.min 0'
|
|
|
|
echo 'rootAttempt.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'InvUsr.label Invalid user login attepmts'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'InvUsr.min 0'
|
|
|
|
echo 'InvUsr.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'NoRDNS.label No reverse DNS for peer'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'NoRDNS.min 0'
|
|
|
|
echo 'NoRDNS.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
echo 'Breakin.label Potential Breakin Attempts'
|
2016-11-13 19:25:31 +01:00
|
|
|
echo 'Breakin.min 0'
|
|
|
|
echo 'Breakin.type' "$TYPE"
|
|
|
|
|
2012-09-15 16:32:20 +02:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2016-11-13 19:25:31 +01:00
|
|
|
if [ "$LOG" = "journald" ]; then
|
|
|
|
CURSOR_FILE="$MUNIN_STATEFILE"
|
|
|
|
# read cursor
|
|
|
|
# format: "journald-cursor <cursor>"
|
|
|
|
CURSOR=
|
|
|
|
if [ -f "$CURSOR_FILE" ]; then
|
|
|
|
CURSOR=$(awk '/^journald-cursor / {print $2}' "$CURSOR_FILE")
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
CURSOR_FILE=
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$LOG" = "journald" ]; then
|
|
|
|
journalctl --no-pager --quiet --show-cursor ${CURSOR:+"--after-cursor=$CURSOR"} "$JOURNALCTL_ARG"
|
|
|
|
else
|
|
|
|
cat $LOG
|
|
|
|
fi | \
|
|
|
|
awk -v cursor_file="$CURSOR_FILE" 'BEGIN{c["LogPass"]=0;c["LogKey"]=0;c["NoID"]=0;c["rootAttempt"]=0;c["InvUsr"]=0;c["LogPassPAM"]=0;c["Breakin"]=0;c["NoRDNS"]=0; }
|
2012-09-15 16:32:20 +02:00
|
|
|
/sshd\[.*Accepted password for/{c["LogPass"]++}
|
|
|
|
/sshd\[.*Accepted publickey for/{c["LogKey"]++}
|
|
|
|
/sshd\[.*Did not receive identification string/{c["NoID"]++}
|
|
|
|
/sshd\[.*Failed password for root/{c["rootAttempt"]++}
|
|
|
|
/sshd\[.*Invalid user/{c["InvUsr"]++}
|
|
|
|
/sshd\[.*POSSIBLE BREAK-IN ATTEMPT!/{c["Breakin"]++}
|
|
|
|
/sshd\[.*keyboard-interactive\/pam/{c["LogPassPAM"]++}
|
|
|
|
/sshd\[.*reverse mapping checking getaddrinfo/{c["NoRDNS"]++}a
|
2016-11-13 19:25:31 +01:00
|
|
|
END{if (cursor_file != "") { print "journald-cursor " $3 > cursor_file };for(i in c){print i".value " c[i]} }'
|