Skip to content

Instantly share code, notes, and snippets.

@diegoparrilla
Created May 31, 2022
Embed
What would you like to do?
Show connection information and Threat Jammer risk score after a successful SSH connection to a server
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
if [ ! -z "$IP" ]; then
TJ_API_KEY="THREAT_JAMMER_API_KEY"
TJ_URL_PREFIX="https://dublin.api.threatjammer.com"
SLACK_WEBHOOK_URL="SLACK_APP_INCOMING_WEBHOOK"
SLACK_CHANNEL="SLACK_CHANNEL_OF_THE_APP_WITH_PUBLISHING_PERMISSIONS"
SLACK_RISK_COLOR="#02ff00" # Green bar
HOSTNAME=$(hostname -f)
NOW=$(date +"%r (UTC %Z), %e %b %Y")
ASSESS="$(curl -s -X GET ''$TJ_URL_PREFIX'/v1/assess/ip/'$IP'' -H 'accept: application/json' -H 'Authorization: Bearer '$TJ_API_KEY'')"
RESULT=$(echo $ASSESS)
SCORE="$(echo $RESULT | jq -r .score)"
RISK="$(echo $RESULT | jq -r .risk)"
REASON="$(echo $RESULT | jq -r .reason)"
RISK_INFO="$SCORE ($RISK) - $REASON"
ASN="$(echo $RESULT | jq -r .asn)"
if [ $SCORE -gt 34 ]; then
SLACK_RISK_COLOR="#ffe200" # Yellow bar
fi
if [ $SCORE -gt 67 ]; then
SLACK_RISK_COLOR="#ff0002" # Red bar
fi
AS="$(curl -s -X GET ''$TJ_URL_PREFIX$ASN'' -H 'accept: application/json' -H 'Authorization: Bearer '$TJ_API_KEY'')"
RESULT=$(echo $AS)
AS_INFO="AS${ASN:8} $(echo $RESULT | jq -r .name) - $(echo $RESULT | jq -r .description)"
GEO="$(curl -s -X GET ''$TJ_URL_PREFIX'/v1/geo/'$IP'' -H 'accept: application/json' -H 'Authorization: Bearer '$TJ_API_KEY'')"
RESULT=$(echo $GEO)
COUNTRY_CODE="$(echo $RESULT | jq -r .country_iso_code)"
REGION_NAME="$(echo $RESULT | jq -r .region_name)"
CITY_NAME="$(echo $RESULT | jq -r .city_name)"
GEO_INFO="$CITY_NAME - $REGION_NAME ($COUNTRY_CODE)"
curl -H 'Content-type: application/json' --data '{"attachments":[{"title":"New SSH login of >'"$(whoami)"'< to >'"$HOSTNAME"'< at '"$NOW"'", "color":"'"$SLACK_RISK_COLOR"'", "mrkdwn_in": ["text"], "text": "*Connected from IP:* '"$IP"'\n*Connected from ISP:* '"$AS_INFO"'\n*IP Location:* '"$GEO_INFO"'\n*Threat Jammer Risk:* '"$RISK_INFO"'"}]}' $SLACK_WEBHOOK_URL
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment