73 lines
2.8 KiB
Bash
73 lines
2.8 KiB
Bash
#!/bin/bash
|
|
|
|
# Ajouter la ligne suivante dans /etc/pam.d/sshd, avec path le chemin du script : session optional pam_exec.so seteuid /path/authentication_alert.bash
|
|
|
|
# Packages requis : mailutils
|
|
|
|
# Variables
|
|
hostname=$(hostname)
|
|
email=root@$HOSTNAME
|
|
sujet="[Supervision] Authentification sur ${hostname}"
|
|
LOG_FILE="/var/log/authentication_alert.log"
|
|
SCRIPT_NAME=$(basename "$0")
|
|
LOG_AUTH_FILE="/var/log/auth.log"
|
|
NOSPAM="TRUE" # TRUE|FALSE, TRUE pour ne pas envoyer de mail si mêmes IP et user que la dernière fois
|
|
|
|
# Exemple de message recherche
|
|
# May 11 18:23:27 rpi-lle sshd[23395]: Accepted publickey for randomuser from 1.2.3.4 port 63238 ssh2
|
|
#####################################
|
|
# Programme
|
|
#####################################
|
|
|
|
if [ "$PAM_TYPE" != "close_session" ]; then
|
|
time=$(date)
|
|
user=$PAM_USER
|
|
fqdn=$PAM_RHOST
|
|
|
|
#PAM_USER will be the name of the authenticated user, PAM_RHOST will be the name of the remote (connecting) host.
|
|
#The value of PAM_RHOST depends on several factors:
|
|
#if UseDNS is set to no in sshd_config, the value will be the IP address of the remote host;
|
|
#otherwise, if the remote IP passes the FCrDNS check, the value will match that of the PTR record of the remote host (and you can get the IP with the help of gethostbyname() or a similar function);
|
|
#otherwise, the value will be the IP address of the remote host.
|
|
|
|
# On recupere la derniere connexion dans les logs SSH
|
|
auth_message=$(grep -e 'Accepted publickey' -e 'Accepted password' $LOG_AUTH_FILE | tail -1)
|
|
# On extrait les infos
|
|
user=$(echo $auth_message | sed -re "s/.*Accepted publickey for (\S+).*/\1/g" | sed -re "s/.*Accepted password for (\S+).*/\1/g")
|
|
ip=$(echo $auth_message | sed -re 's/.*from (\S+).*/\1/g')
|
|
|
|
function geoloc { # geoloc de l'IP
|
|
geoloc_message=$(curl -s http://ip-api.com/json/$ip)
|
|
pays=$(echo $geoloc_message | sed -re 's/.*"country":"([^"]+)".*/\1/g')
|
|
ville=$(echo $geoloc_message | sed -re 's/.*"city":"([^"]+)".*/\1/g')
|
|
}
|
|
|
|
function send_mail { # Envoi email
|
|
if [ "$fqdn" != "$ip" ]; then
|
|
echo -e "Bonjour,\n\nLe login $user s'est connecté sur ${hostname}.\nDate : $time\nIP : $ip\nFQDN : $fqdn\nPays : $pays\nVille : $ville" | mailx -s "$(echo $sujet)" $(echo $email)
|
|
else
|
|
echo -e "Bonjour,\n\nLe login $user s'est connecté sur ${hostname}.\nDate : $time\nIP : $ip\nPays : $pays\nVille : $ville" | mailx -s "$(echo $sujet)" $(echo $email)
|
|
fi
|
|
}
|
|
|
|
function logging { # Logging
|
|
echo "$(date +"%Y/%m/%d %H:%M:%S" ) ${SCRIPT_NAME} hostname=\"${hostname}\" user=\"${user}\" ip=\"${ip}\" time=\"${time}\" fqdn=\"${fqdn}\" pays=\"${pays}\" ville=\"${ville}\"" >> ${LOG_FILE}
|
|
}
|
|
|
|
if [ "$NOSPAM" == "FALSE" ]; then
|
|
geoloc
|
|
send_mail
|
|
else
|
|
last_log=$(tail -1 "$LOG_FILE")
|
|
if [[ $(echo "$last_log" | grep "$ip" | grep "$user") == "" ]]; then
|
|
geoloc
|
|
send_mail
|
|
else
|
|
pays="no_geoloc"
|
|
ville="no_geoloc"
|
|
fi
|
|
fi
|
|
|
|
logging
|
|
fi
|
|
exit 0 |