More housekeeping.

plugins/network/ssh/openssh-denyhosts

@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# Plugin to monitor SSH
+#
+# Parameters understood:
+#
+# 	config   (required)
+# 	autoconf (optional)
+#
+# Made by Sven Breunig ( sven AT breunig DOT be )
+#
+
+mktempfile () {
+mktemp -t 
+}       
+
+AUTH_LOG=${logfile:-/var/log/auth.log}
+STATEFILE=/var/lib/munin/plugin-state/sshd.offset
+LOGTAIL=${logtail:-`which logtail`}
+
+if [ "$1" = "autoconf" ]; then
+        if [ -f "${AUTH_LOG}"  -a -n "${LOGTAIL}" -a -x "${LOGTAIL}" ] ; then
+		echo yes
+		exit 0
+	else
+		echo no
+		exit 1
+	fi
+fi
+
+if [ "$1" = "config" ]; then
+	echo 'graph_title SSH Statistics'
+	echo 'graph_order refused invalid accepted'
+	echo 'graph_category ssh'
+	echo 'graph_vlabel Count'
+	echo 'graph_scale no'
+
+##	echo 'graph_args --base 1000 -l 0'
+	echo 'refused.label refused'
+#	echo 'delayed.type DERIVE'
+	echo 'invalid.label invalid'
+#	echo 'passed.type DERIVE'
+	echo 'accepted.label accepted'
+#	echo 'whitelisted.type DERIVE'
+	echo 'failedpass.label Failed password'
+        exit 0
+fi
+
+
+refused=0
+invalid=0
+accepted=0
+failed=0
+
+TEMP_FILE=`mktempfile munin-sshd.XXXXXX`
+
+if [ -n "$TEMP_FILE" -a -f "$TEMP_FILE" ]
+then
+	$LOGTAIL ${AUTH_LOG} $STATEFILE | grep 'sshd' > ${TEMP_FILE}
+
+	refused=`grep -ic 'refused' ${TEMP_FILE}`
+	accepted=`grep -ic 'accepted' ${TEMP_FILE}` 
+	invalid=`grep -ic 'invalid user' ${TEMP_FILE}`
+	failed=`grep -ic 'failed password' ${TEMP_FILE}`
+
+	/bin/rm -f $TEMP_FILE
+fi
+
+echo "refused.value ${refused}"
+echo "accepted.value ${accepted}"
+echo "invalid.value ${invalid}"
+echo "failedpass.value ${failed}"

plugins/network/ssh/sshd_invalid_countries

@@ -0,0 +1,86 @@
+#!/usr/bin/php
+<?php
+# Plugin to monitor the number of invalid access to sshd per country
+#
+# Require read permitions for SYSLOG
+#    ref) ls -l /var/log/secure
+# Require PEAR library Net_GeoIP
+#    ref) http://pear.php.net/package/Net_GeoIP/redirected
+# Require GeoIP-database to find out the geolocation from ip or host
+#    ref) http://www.maxmind.com/app/geoip_country
+#
+# Parameters:
+#       config   (required)
+#       autoconf (optional - used by munin-config)
+#
+# $Log$
+# Revision 1.0  2010/12/23 23:55:01 hirata yoshiyuki
+#     released.
+#
+# Magick markers (optional):
+#%# family=auto
+#%# capabilities=autoconf
+#
+# config example for /etc/munin/plugin-conf.d/munin-node
+#[sshd_invalid_countries]
+#user root
+#group root
+#env.logfile /var/log/secure
+#env.geoip /home/you/GeoIP.dat
+#env.peardir /usr/share/pear/
+
+require (isset($_SERVER['peardir']) && $_SERVER['peardir'] != '' ? $_SERVER['peardir'] : '') . 'Net/GeoIP.php';
+
+define('SYSLOG',   isset($_SERVER['syslog']) && $_SERVER['syslog'] != '' ? $_SERVER['syslog'] : '/var/log/secure');
+define('GEOIP_DB', isset($_SERVER['geoip'])  && $_SERVER['geoip']  != '' ? $_SERVER['geoip']  : 'GeoIP.dat');
+define('AWK_CMD', 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' .
+                        '/sshd\[.*Failed password for (root|ROOT)/{print $11} ' .
+                        '/sshd\[.*Invalid user/{print $10}a\' < ' . SYSLOG);
+
+if (isset($argv[1]) && $argv[1] == 'autoconf') {
+    $fh = @fopen(SYSLOG, 'r');
+    if ($fh) {
+        echo "yes\n";
+        fclose($fh);
+        exit(0);
+    } else {
+        echo "no\n";
+        exit(1);
+    }
+}
+if (isset($argv[1]) && $argv[1] == 'config') {
+    echo 'graph_title SSHD invalid countries from ' . SYSLOG . "\n";
+    echo 'graph_args --base 1000 -l 0' . "\n";
+    echo 'graph_vlabel number of invalid access per country' . "\n";
+    echo 'graph_category system' . "\n";
+    echo 'graph_info This graph shows the countries of invalid access to sshd.' . "\n";
+    foreach (get_sshd_invalid_countries() as $country => $cnt) {
+        echo $country . '.label ' . $country . "\n";
+    }
+    exit(0);
+}
+
+foreach (get_sshd_invalid_countries() as $country => $cnt) {
+    echo $country . '.value ' . $cnt . "\n";
+}
+
+function get_sshd_invalid_countries() {
+    $countries = array();
+    exec(AWK_CMD, $wholeips, $ret);
+
+    if ($ret != 0) return $countries;
+
+    $uniqueips = array_count_values($wholeips);
+    $GeoIP = Net_GeoIP::getInstance(GEOIP_DB);
+    foreach ($uniqueips as $ip => $cnt) {
+        try {
+            $country = $GeoIP->lookupCountryName($ip);
+            $countries[$country] = isset($countries[$country]) ? $countries[$country] + $cnt : $cnt;
+        } catch (Exception $e) {
+            $countries['Unknown'] = isset($countries['Unknown']) ? $countries['Unknown'] + $cnt : $cnt;
+        }
+    }
+    ksort($countries);
+
+    return $countries;
+}

plugins/network/ssh/sshd_invalid_countries_ruby

@@ -0,0 +1,80 @@
+#!/usr/local/bin/ruby
+# Plugin to monitor the number of invalid access to sshd per country
+#
+# Require read permitions for SYSLOG
+#    ref) ls -l /var/log/secure
+# Require geoip rubygem
+#    ref) http://geoip.rubyforge.org/
+# Require GeoIP-database for searching ip or host for the country
+#    ref) http://www.maxmind.com/app/geoip_country
+#
+# Parameters:
+#       config   (required)
+#       autoconf (optional - used by munin-config)
+#
+# $Log$
+# Revision 1.0  2010/12/25 11:56:12 hirata yoshiyuki
+#     released.
+#
+# Magick markers (optional):
+#%# family=auto
+#%# capabilities=autoconf
+#
+# config example for /etc/munin/plugin-conf.d/munin-node
+#[sshd_invalid_countries_ruby]
+#user root
+#group root
+#env.logfile /var/log/secure
+#env.geoip /home/you/GeoIP.dat
+#env.loadpath /usr/local/lib/ruby/gems/1.9.1/gems/geoip-0.8.8/lib/
+
+require (ENV['loadpath'] || '') + 'geoip'
+
+SYSLOG   = ENV['syslog'] || '/var/log/secure'
+GEOIP_DB = ENV['geoip']  || '/var/www/conf/bbs/GeoIP.dat'
+AWK_CMD  = 'awk \'/sshd\[.*Did not receive identification string/{print $12} ' +
+                 '/sshd\[.*Failed password for (root|ROOT)/{print $11} ' +
+                 '/sshd\[.*Invalid user/{print $10}a\' < ' + SYSLOG
+
+def getInvalids
+  c={}
+  wholeips = `#{AWK_CMD}`.split("\n")
+  uniqueips = wholeips.inject({}) do |hash, key|
+    hash.include?(key) ? hash[key] += 1 : hash[key] = 1;
+    hash
+  end
+  geoip = GeoIP.new(GEOIP_DB)
+  uniqueips.each do |ip,cnt|
+    begin
+      country = geoip.country(ip)[5]
+      c[country] = c[country] ? c[country] + cnt : cnt
+    rescue
+      c['Unknown'] = c['Unknown'] ? c['Unknown'] + cnt : cnt
+    end
+  end
+  c = c.to_a.sort {|a,b| a[0] <=> b[0]}
+  c
+end
+
+case ARGV[0]
+when 'autoconf'
+  begin
+    fh = open(SYSLOG, 'r')
+  rescue
+    puts 'no'
+    exit 1
+  else
+    puts 'yes'
+    exit 0
+  end
+when 'config'
+  puts 'graph_title SSHD invalid countries from ' + SYSLOG
+  puts 'graph_args --base 1000 -l 0'
+  puts 'graph_vlabel number of invalid access per country'
+  puts 'graph_category system'
+  puts 'graph_info This graph shows the countries of invalid access to sshd.'
+  getInvalids.each {|k,v| puts k + '.label ' + k}
+  exit 0
+else
+  getInvalids.each {|k,v| puts k + '.value ' + v.to_s}
+end