jeanbaptiste
/
Authentication_alert
mirror of https://chaton.noho.st/gitea/kit/Authentication_alert.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Authentication_alert/authentication_alert.bash

73 lines
2.8 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
# Ajouter la ligne suivante dans /etc/pam.d/sshd, avec path le chemin du script : session optional pam_exec.so seteuid /path/authentication_alert.bash
# Packages requis : mailutils
# Variables
hostname=$(hostname)
email=root@$HOSTNAME
sujet="[Supervision] Authentification sur ${hostname}"
LOG_FILE="/var/log/authentication_alert.log"
SCRIPT_NAME=$(basename "$0")
LOG_AUTH_FILE="/var/log/auth.log"
NOSPAM="TRUE" # TRUE|FALSE, TRUE pour ne pas envoyer de mail si mêmes IP et user que la dernière fois
# Exemple de message recherche
# May 11 18:23:27 rpi-lle sshd[23395]: Accepted publickey for randomuser from 1.2.3.4 port 63238 ssh2
#####################################
# Programme
#####################################
if [ "$PAM_TYPE" != "close_session" ]; then
time=$(date)
user=$PAM_USER
fqdn=$PAM_RHOST
#PAM_USER will be the name of the authenticated user, PAM_RHOST will be the name of the remote (connecting) host.
#The value of PAM_RHOST depends on several factors:
#if UseDNS is set to no in sshd_config, the value will be the IP address of the remote host;
#otherwise, if the remote IP passes the FCrDNS check, the value will match that of the PTR record of the remote host (and you can get the IP with the help of gethostbyname() or a similar function);
#otherwise, the value will be the IP address of the remote host.
# On recupere la derniere connexion dans les logs SSH
auth_message=$(grep -e 'Accepted publickey' -e 'Accepted password' $LOG_AUTH_FILE | tail -1)
# On extrait les infos
user=$(echo $auth_message | sed -re "s/.*Accepted publickey for (\S+).*/\1/g" | sed -re "s/.*Accepted password for (\S+).*/\1/g")
ip=$(echo $auth_message | sed -re 's/.*from (\S+).*/\1/g')
function geoloc { # geoloc de l'IP
geoloc_message=$(curl -s http://ip-api.com/json/$ip)
pays=$(echo $geoloc_message | sed -re 's/.*"country":"([^"]+)".*/\1/g')
ville=$(echo $geoloc_message | sed -re 's/.*"city":"([^"]+)".*/\1/g')
}
function send_mail { # Envoi email
if [ "$fqdn" != "$ip" ]; then
echo -e "Bonjour,\n\nLe login $user s'est connecté sur ${hostname}.\nDate : $time\nIP : $ip\nFQDN : $fqdn\nPays : $pays\nVille : $ville" | mailx -s "$(echo $sujet)" $(echo $email)
else
echo -e "Bonjour,\n\nLe login $user s'est connecté sur ${hostname}.\nDate : $time\nIP : $ip\nPays : $pays\nVille : $ville" | mailx -s "$(echo $sujet)" $(echo $email)
fi
}
function logging { # Logging
echo "$(date +"%Y/%m/%d %H:%M:%S" ) ${SCRIPT_NAME} hostname=\"${hostname}\" user=\"${user}\" ip=\"${ip}\" time=\"${time}\" fqdn=\"${fqdn}\" pays=\"${pays}\" ville=\"${ville}\"" >> ${LOG_FILE}
}
if [ "$NOSPAM" == "FALSE" ]; then
geoloc
send_mail
else
last_log=$(tail -1 "$LOG_FILE")
if [[ $(echo "$last_log" | grep "$ip" | grep "$user") == "" ]]; then
geoloc
send_mail
else
pays="no_geoloc"
ville="no_geoloc"
fi
fi
logging
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink