Last active
May 6, 2020 20:23
-
-
Save sholwe/bbc02cb3557a0fd93654f85dbf661a99 to your computer and use it in GitHub Desktop.
Virmach sshcheck - from Syed's sources - Fix for warnings again
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
ini_set('error_reporting', E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED); | |
// the threshold for connections from a remote IP to be considered an attack | |
// default was 10 | |
$incomingThreshold = 11; | |
// send an email report? | |
$sendEmail = TRUE; | |
//SSH Port | |
$sshPort = "22"; | |
// our whitelisted hosts | |
$whiteListed = array ("23.94.139.81"); | |
// where to send the email report to | |
$emailAddress = 'support@virmach.com'; | |
// email subject | |
$emailSubject = 'sshcheck.php report from ' . php_uname('n'); | |
// email's From address | |
$emailFrom = 'no-reply@virmach.com'; | |
// do you want the system to add iptables rules automatically? | |
$addIPTablesRules = TRUE; | |
// prefix for iptables. should not need to change | |
$iptablesPrefix = "/sbin/"; | |
//================================================== | |
exec("netstat -nt | grep \":".$sshPort." \"", $netstatArray); | |
if (!empty($netstatArray)) { | |
foreach ($netstatArray as $netstatData) { | |
$netstatDataSplit[] = preg_split('/\s+/', $netstatData); | |
} | |
} else { | |
die(); // Shut the fuck up. #die("No data was collected from netstat!"); | |
} | |
foreach ($netstatDataSplit as $dataKey => $dataRow) { | |
if (substr_count($dataRow[4], ":") == 1 ) { | |
$onlyRemoteIP = substr($dataRow[4],0,strpos($dataRow[4],":")); | |
$remoteIP[$onlyRemoteIP]++; | |
$remoteIPtoLocalIP[$onlyRemoteIP][] = $dataRow[3]; | |
} | |
} | |
if (!empty($remoteIP)) { | |
foreach ($remoteIP as $addressToCheck => $addressToCheckCounter) { | |
if ($addressToCheckCounter > $incomingThreshold) { | |
if (!in_array($addressToCheck, $whiteListed)) { | |
exec($iptablesPrefix . "iptables -n --list FORWARD | grep $addressToCheck", $inIPTables); | |
} | |
if (empty($inIPTables) && !in_array($addressToCheck, $whiteListed)) { | |
if ($sendEmail == TRUE) { | |
$reportData = "Hello, this is sshcheck.php running on " . php_uname('n') . "\n"; | |
$reportData .= "\n"; | |
$reportData .= "Current time: " . date(DATE_RFC822) . "\n"; | |
$reportData .= "\n"; | |
if($addIPTablesRules == TRUE) { | |
$reportData .= "Adding iptables DROP rule. Remove it with:\n"; | |
$reportData .= "iptables -D FORWARD -s $addressToCheck -j DROP\n"; | |
$reportData .= "\n"; | |
} | |
$reportData .= "IP " . $addressToCheck . " is involved in a brute force attack against the following IPs:\n"; | |
$reportData .= "\n"; | |
$reportData .= "Count: " . count($remoteIPtoLocalIP[$addressToCheck]) . "\n"; | |
foreach($remoteIPtoLocalIP[$addressToCheck] as $targetedIP) { | |
$reportData .= $targetedIP . "\n"; | |
} | |
$reportData = wordwrap($reportData, 70); | |
mail($emailAddress, $emailSubject, $reportData, 'From: ' . $emailFrom); | |
} | |
if($addIPTablesRules == TRUE) { | |
system($iptablesPrefix . "iptables -I FORWARD -s $addressToCheck -j DROP"); | |
} | |
unset($reportData); | |
} | |
unset($inIPTables); | |
} | |
} | |
} | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment