Created
March 16, 2011 10:45
-
-
Save gmodena/872304 to your computer and use it in GitHub Desktop.
Mine failed login attempts from auth.log and display them on a map (static google map or KML file)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import urllib2, json, re | |
from itertools import imap | |
import argparse | |
import simplekml | |
BASE = "http://freegeoip.net/json/%(ip4)s" | |
r1 = 'Authentication failure for .* from (?:::f{4,6}:)?(?P<host>\S+)' | |
r2 = '[iI](?:llegal|nvalid) user .* from (?:::f{4,6}:)?(?P<host>\S+)' | |
r3 = 'Failed [-/\w]+ for .* from (?:::f{4,6}:)?(?P<host>\S+)' | |
r4 = 'reverse mapping checking getaddrinfo .* \[(?:::f{4,6}:)?(?P<host>\S+)\]' | |
patterns = map(re.compile, [r1, r2, r3, r4]) | |
def geolocate(ip=""): | |
""" | |
>>> geolocate("208.86.225.120") | |
{'city': 'Raleigh', 'region_code': 'NC', 'region_name': 'North Carolina', 'metrocode': '560', 'zipcode': '27608', 'longitude': '-78.646', 'latitude': '35.8116', 'country_code': 'US', 'ip': '208.86.225.120', 'country_name': 'United States'} | |
""" | |
try: loc = json.loads(urllib2.urlopen(BASE % {"ip4": ip}).read()) | |
except: loc = {} | |
finally: return loc | |
def parse_authlog(authlog=""): | |
if not authlog: | |
yield '' | |
return | |
ips = {} | |
for line in authlog: | |
for r in patterns: | |
m = r.search(line) | |
try: | |
ips[m.group(1)] += 1 | |
except KeyError: | |
ips[m.group(1)] = 0 | |
yield m.group(1) | |
except AttributeError: | |
continue | |
def staticmap(ips): | |
""" | |
>>> staticmap(['208.86.225.120']) | |
'http://maps.google.com/maps/api/staticmap?center=0,0&zoom=0&size=800x800&markers=35.8116,-78.646&sensor=false' | |
""" | |
def markers(ips): | |
""" | |
>>> "|".join(m for m in get_markers(['186.22.60.105', '69.63.189.16', '122.166.60.140'])) | |
'-34,-64|37.4429,-122.151|12.9833,77.5833' | |
""" | |
for loc in imap(geolocate, ips): | |
if loc.has_key("latitude") or loc.has_key("longitude"): | |
yield "%(lat)s,%(lon)s" % {"lat": str(loc["latitude"]), "lon": str(loc["longitude"])} | |
elif loc.has_key("country"): | |
yield loc["country"] | |
else: | |
continue | |
gmaps = "http://maps.google.com/maps/api/staticmap?center=0,0&zoom=0&size=800x800&markers=" | |
return "%s%s%s" % (gmaps, "|".join(m for m in markers(ips)), "&sensor=false") | |
def kmlmap(ips, output="default.kml"): | |
kml = simplekml.Kml() | |
for loc in imap(geolocate, ips): | |
if loc: | |
name = ", ".join(x for x in (filter(lambda x: x, \ | |
map(lambda u: u.encode('utf-8'), [loc["city"], loc["region_name"], loc["country_name"], loc["country_code"]])))) | |
kml.newpoint(name=name, coords=[(float(loc["longitude"]), float(loc["latitude"]))]) | |
kml.save(output) | |
if __name__ == '__main__': | |
def args(): | |
parser = argparse.ArgumentParser() | |
parser.add_argument("--authlog", dest="authlog", default=None) | |
parser.add_argument("--ip-list", dest="ip_list", default=None) | |
parser.add_argument("--kmlmap", dest="kml", default=None) | |
return parser.parse_args() | |
opt = args() | |
if opt.authlog: | |
logdata = parse_authlog(open(opt.authlog, 'r')) | |
elif opt.ip_list: | |
logdata = open(opt.ip_list, 'r') | |
if opt.kml: | |
kmlmap((ip for ip in logdata), output=opt.kml) | |
else: | |
print staticmap((ip for ip in logdata)) | |
logdata.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment