SSH登入日誌分析指令碼(Python)

來源:互聯網
上載者:User

SSH登入日誌分析指令碼(Python)

好久沒有更新部落格了,寫了很早的一個指令碼存下檔,一個用於分析使用者登入日誌 /etc/auth.log的指令碼,可以分析

成功、失敗次數,以及來自的IP地址和登入失敗的使用者名稱,可以用於監控是否有暴力密碼破解攻擊,多了就可以用於收集字典,用來避免密碼過於簡單的問題

 

#/usr/bin/env python3.4#Anyalize the /etc/auth.log files to get#   1) how many failed login trials#   2) how many succeeded login trials#   3) how many IP's where the login trials comes from and what they are#   4) how many invalid usernames are tested and what they are##   usage:#       anyalyze #   note: - for standard input streamimport sysimport re# # of trialsDEBUG_FLAG = 0INFO_FLAG = 0def debug(msg):    if DEBUG_FLAG:        print("[DEBUG] ", msg)def info(msg):    if INFO_FLAG:        print("[INFO] ", msg)def openLog( source ):    if( source == "-"):        return sys.stdin;    else:        debug("opening file:" + source)        f = open(source,'r')        return f# failed loginptnFailed = re.compile(r'Failed password for (?P\w+) from (?P\d+\.\d+\.\d+\.\d+)')# invalid user trailptnInvalid = re.compile(r'Failed password for invalid user (?P\w+) from (?P\d+\.\d+\.\d+\.\d+)')# login succeededptnSuccess = re.compile(r'Accepted password for (?P\w+) from (?P\d+\.\d+\.\d+\.\d+)')# sudoptnSudo = re.compile(r'session opened for user (?P\w+) by (?P\w+)')# >0: valid user & incorreck password# <0: invalid usernFailed = {}nSuccess = {}nSuccess_records = {}ipFailed={}ipSuccess={}if(len(sys.argv) < 2):    print("Usage:")    print("\t"+sys.argv[0]+" ")    print("Note:  can be - for standard input stream")    exit(0)log = openLog(sys.argv[1])for line in log:    m = ptnFailed.search(line)    debug(m)    if not m:        m = ptnInvalid.search(line)        debug(m)    if m:        user =  m.group(ptnInvalid.groupindex['user'])        if user not in nFailed:            info("[FAILED] Found a new user <" + user + ">");            nFailed[user] = 0        nFailed[user] = nFailed[user]+1        ip = m.group(ptnInvalid.groupindex['ip'])        if ip not in ipFailed:            ipFailed[ip] = 0            info("[FAILED] Found a new ip <" + ip + ">");        ipFailed[ip] = ipFailed[ip] + 1    else:        m = ptnSuccess.search(line)        if not m:            m = ptnSudo.search(line)        debug(m)        if m:            print(line)            user =  m.group(ptnSuccess.groupindex['user'])            if user not in nSuccess:                nSuccess[user] = 0                info("[SUCCESS] Found a new user <" + user + ">");            nSuccess[user] = nSuccess[user]+1            ip = m.group(ptnSuccess.groupindex['ip'])            if ip not in ipSuccess:                ipSuccess[ip] = 0                info("[SUCCESS] Found a new ip <" + ip + ">");            ipSuccess[ip] = ipSuccess[ip] + 1        else:            debug("*** Unknown:" + line)# TODO: close(log)    print("nFailed:" )print(nFailed)print("nSuccess:" )print(nSuccess)# a key-value list# it assure that the order is the same to the coming orderclass KeyValue:    def __init__(self, key, value):        self.key = key        self.value = value    def __repr__(self):        return repr((self.key, self.value))# return a KeyValue list because of the order of the keys in a dictionary# is unexpected, not same to the order as they are put indef sortDict(adict):    result=[]    keys = sorted(adict.keys(),key=adict.__getitem__, reverse = True)    for k in keys:        result.append(KeyValue(k,adict[k]))    return result# convert a KeyValue list to html table# @return a html stringdef KeyValueList2Html(kvlist, headerMap):    html ="\n"        hkey = 'Key'    hvalue = 'Value'    if headerMap:        hkey = headerMap['key'];        hvalue = headerMap['value'];        debug(hkey)        debug(hvalue)    html+= "'+''+ '\n'    for kv in kvlist:        html += ""+"'+''+ '\n'    html += "
 
"+" "+hkey+' '+hvalue+'
"+kv.key+' '+str(kv.value)+'
\n" return htmlprint("------------ Tested user list *Failed* -------------", sortDict(nFailed))print("------------ Source IP *Failed* ------------------",sortDict(ipFailed))print("------------ Login Success -------------", sortDict(nSuccess))print("------------ Source IP *Success* -----------------", sortDict(ipSuccess))# writing result to a HTML reportprint("Wring result to result.html ...")reportFilename = 'auth.log-analysis.html'report = open(reportFilename, 'w')if report: title = 'Auth Log Analysis' report.write('\n') report.write(''+title+'\n') report.write('') report.write("------------ Tested user list *Failed* -------------\n") report.write(KeyValueList2Html(sortDict(nFailed),{'key':'username','value':'# of trial'})) report.write("------------ Source IP *Failed* ------------------") report.write(KeyValueList2Html(sortDict(ipFailed),{'key':'source IP','value':'# of trial'})) report.write("------------ Login Success -------------") report.write(KeyValueList2Html(sortDict(nSuccess),{'key':'username','value':'# of trial'})) report.write("------------ Source IP *Success* -----------------") report.write(KeyValueList2Html(sortDict(ipSuccess),{'key':'source IP','value':'# of login'})) report.write('\n') report.write('\n') report.write('\n')# close(report) print('OK')else: print('Failed to open file:', reportFilename)


 

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.