Show connection information and Threat Jammer risk score after a successful SSH connection to a server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)" | |
if [ ! -z "$IP" ]; then | |
TJ_API_KEY="THREAT_JAMMER_API_KEY" | |
TJ_URL_PREFIX="https://dublin.api.threatjammer.com" | |
SLACK_WEBHOOK_URL="SLACK_APP_INCOMING_WEBHOOK" | |
SLACK_CHANNEL="SLACK_CHANNEL_OF_THE_APP_WITH_PUBLISHING_PERMISSIONS" | |
SLACK_RISK_COLOR="#02ff00" # Green bar | |
HOSTNAME=$(hostname -f) | |
NOW=$(date +"%r (UTC %Z), %e %b %Y") | |
ASSESS="$(curl -s -X GET ''$TJ_URL_PREFIX'/v1/assess/ip/'$IP'' -H 'accept: application/json' -H 'Authorization: Bearer '$TJ_API_KEY'')" | |
RESULT=$(echo $ASSESS) | |
SCORE="$(echo $RESULT | jq -r .score)" | |
RISK="$(echo $RESULT | jq -r .risk)" | |
REASON="$(echo $RESULT | jq -r .reason)" | |
RISK_INFO="$SCORE ($RISK) - $REASON" | |
ASN="$(echo $RESULT | jq -r .asn)" | |
if [ $SCORE -gt 34 ]; then | |
SLACK_RISK_COLOR="#ffe200" # Yellow bar | |
fi | |
if [ $SCORE -gt 67 ]; then | |
SLACK_RISK_COLOR="#ff0002" # Red bar | |
fi | |
AS="$(curl -s -X GET ''$TJ_URL_PREFIX$ASN'' -H 'accept: application/json' -H 'Authorization: Bearer '$TJ_API_KEY'')" | |
RESULT=$(echo $AS) | |
AS_INFO="AS${ASN:8} $(echo $RESULT | jq -r .name) - $(echo $RESULT | jq -r .description)" | |
GEO="$(curl -s -X GET ''$TJ_URL_PREFIX'/v1/geo/'$IP'' -H 'accept: application/json' -H 'Authorization: Bearer '$TJ_API_KEY'')" | |
RESULT=$(echo $GEO) | |
COUNTRY_CODE="$(echo $RESULT | jq -r .country_iso_code)" | |
REGION_NAME="$(echo $RESULT | jq -r .region_name)" | |
CITY_NAME="$(echo $RESULT | jq -r .city_name)" | |
GEO_INFO="$CITY_NAME - $REGION_NAME ($COUNTRY_CODE)" | |
curl -H 'Content-type: application/json' --data '{"attachments":[{"title":"New SSH login of >'"$(whoami)"'< to >'"$HOSTNAME"'< at '"$NOW"'", "color":"'"$SLACK_RISK_COLOR"'", "mrkdwn_in": ["text"], "text": "*Connected from IP:* '"$IP"'\n*Connected from ISP:* '"$AS_INFO"'\n*IP Location:* '"$GEO_INFO"'\n*Threat Jammer Risk:* '"$RISK_INFO"'"}]}' $SLACK_WEBHOOK_URL | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment