gurupras/check_auth.py

## check_auth.py
import os,sys,argparse,re
import json
import gzip
import tempfile
import glob
import requests

import pycommons
from pycommons import ListAction

def setup_parser():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--input', type=str, default=None,
            help='Previously processed input file')
    parser.add_argument('-o', '--output', type=str, default=None,
            help='Store results in output')
    parser.add_argument('--safe-ips', type=str, action=ListAction,
            default=['.*'], help='Safe IPs to filter')
    parser.add_argument('--geo', action='store_true', default=False,
            help='Safe IPs to filter')
    return parser

def open_file(filename, mode):
    name, ext = os.path.splitext(filename)
    fn = open
    if ext == '.gz':
        fn = gzip.open
    return fn(filename, mode)

def process(file, safe_ips, geo):
    ip_dict = {}
    pattern = re.compile('^(?P<date>[A-Za-z]+\s+\d+\s+\d+:\d+:\d+)\s+.* Accepted publickey for (?P<user>[a-zA-Z0-9_]+) from (?P<ip>.*) port.*')
    with open_file(file, 'rb') as f:
        for idx, line in enumerate(f):
            m = pattern.match(line)
            if m:
                date = m.group('date')
                user = m.group('user')
                ip = m.group('ip')
                safe = False
                for ip_pat_str in safe_ips:
                    ip_pattern = re.compile(ip_pat_str)
                    if ip_pattern.match(ip):
                        safe = True
                        break
                if not safe:
                    if not ip_dict.get(ip, None):
                        ip_dict[ip] = []
                    ip_dict[ip].append((date, user))
    for ip, values in ip_dict.iteritems():
        user_dict = {}
        for (date, user) in values:
            if not user_dict.get(user, None):
                user_dict[user] = 0
            user_dict[user] += 1
            #print '%s  -> %s: %s' % (date, user, ip)
        geo_str = ''
        if geo:
            import requests
            # Get geolocation from freegeoip.net
            r = requests.get('http://freegeoip.net/json/%s' % (ip))
            geo_str = '        -> ' + r.text.strip()
        print '%s  -> %s %s' % (ip, str(user_dict), geo_str)


def main(argv):
    parser = setup_parser()
    args = parser.parse_args(argv[1:])

    if args.input:
        file = args.input
    else:
        file = None

    if not file:
        fd, fpath = tempfile.mkstemp()
        file = os.fdopen(fd, 'wb')
        files = glob.glob('/var/log/auth.*')
        for f in files:
            with open_file(f, 'rb') as f:
                bytes = f.read()
                file.write(bytes)
            file.flush()
        file.close()

        # If we have to save the file into output, do it now
        if args.output:
            file = open(fpath, 'rb')
            with open(args.output, 'wb') as f:
                f.write(file.read())
            file.seek(0, 0)
            file = fpath


    # Now do any processing that we need to
    process(file, args.safe_ips, args.geo)

if __name__ == '__main__':
    main(sys.argv)
	import os,sys,argparse,re
	import json
	import gzip
	import tempfile
	import glob
	import requests

	import pycommons
	from pycommons import ListAction

	def setup_parser():
	parser = argparse.ArgumentParser()
	parser.add_argument('-i', '--input', type=str, default=None,
	help='Previously processed input file')
	parser.add_argument('-o', '--output', type=str, default=None,
	help='Store results in output')
	parser.add_argument('--safe-ips', type=str, action=ListAction,
	default=['.*'], help='Safe IPs to filter')
	parser.add_argument('--geo', action='store_true', default=False,
	help='Safe IPs to filter')
	return parser

	def open_file(filename, mode):
	name, ext = os.path.splitext(filename)
	fn = open
	if ext == '.gz':
	fn = gzip.open
	return fn(filename, mode)

	def process(file, safe_ips, geo):
	ip_dict = {}
	pattern = re.compile('^(?P<date>[A-Za-z]+\s+\d+\s+\d+:\d+:\d+)\s+.* Accepted publickey for (?P<user>[a-zA-Z0-9_]+) from (?P<ip>.) port.')
	with open_file(file, 'rb') as f:
	for idx, line in enumerate(f):
	m = pattern.match(line)
	if m:
	date = m.group('date')
	user = m.group('user')
	ip = m.group('ip')
	safe = False
	for ip_pat_str in safe_ips:
	ip_pattern = re.compile(ip_pat_str)
	if ip_pattern.match(ip):
	safe = True
	break
	if not safe:
	if not ip_dict.get(ip, None):
	ip_dict[ip] = []
	ip_dict[ip].append((date, user))
	for ip, values in ip_dict.iteritems():
	user_dict = {}
	for (date, user) in values:
	if not user_dict.get(user, None):
	user_dict[user] = 0
	user_dict[user] += 1
	#print '%s -> %s: %s' % (date, user, ip)
	geo_str = ''
	if geo:
	import requests
	# Get geolocation from freegeoip.net
	r = requests.get('http://freegeoip.net/json/%s' % (ip))
	geo_str = ' -> ' + r.text.strip()
	print '%s -> %s %s' % (ip, str(user_dict), geo_str)


	def main(argv):
	parser = setup_parser()
	args = parser.parse_args(argv[1:])

	if args.input:
	file = args.input
	else:
	file = None

	if not file:
	fd, fpath = tempfile.mkstemp()
	file = os.fdopen(fd, 'wb')
	files = glob.glob('/var/log/auth.*')
	for f in files:
	with open_file(f, 'rb') as f:
	bytes = f.read()
	file.write(bytes)
	file.flush()
	file.close()

	# If we have to save the file into output, do it now
	if args.output:
	file = open(fpath, 'rb')
	with open(args.output, 'wb') as f:
	f.write(file.read())
	file.seek(0, 0)
	file = fpath


	# Now do any processing that we need to
	process(file, args.safe_ips, args.geo)

	if __name__ == '__main__':
	main(sys.argv)