Well, I am calling this Solved.
Here's what the script spits out...
Code:
Results of /var/log/secure scan:
(Failed due to bad password: 301)
Failed due to bad user: 149
+______________
Number of Failed Login Attempts: 450
Number of Successful Root Logins: 510
Connection Details are:
301 FAILED root passwords from IP: 199.168.141.102
1 Invalid user r00t from IP: 199.168.141.102
1 Invalid user test001 from IP: 31.171.241.38
1 Invalid user test01 from IP: 31.171.241.38
1 Invalid user test02 from IP: 31.171.241.38
1 Invalid user test1 from IP: 31.171.241.38
1 Invalid user test2 from IP: 31.171.241.38
143 Invalid user test from IP: 31.171.241.38
4 Successful Logins for root from IP: 209.156.244.98
38 Successful Logins for root from IP: 24.101.150.38
468 Successful Logins for root from IP: 74.86.203.42
Host Details are:
hostname
som.ipa.dre.ss
Report Date:
Oct-26-2012
and here's the script:
Code:
#!/usr/bin/perl -W
# Written: JJ of c9
# Purpose: audit /var/log/secure on CentOS release 4.x
# Source : http://www.codeproject.com/Articles/304421/Use-Perl-to-Summarize-the-Secure-Log-File-on-Linux
# Credits: Steven Jackson - http://ubuntuforums.org/attachment.php?attachmentid=226005&d=1351026760
# :
# Edited : Fri Oct 26, 2012 - 9:05:09 AM EDT
# Current: rootonly.pl now processes the /root/.c9audit.log 'internally'
# : using system("/bin/sort audit.log | /usr/bin/uniq -c");
my $dataFile = "/var/log/secure";
my $failedCount = 0; # number of bad logins from any user
my $successCount = 0; # number of successful logins from any user
my $badUserCount = 0; # number of bad users
my $badPasswordCount = 0; # number of bad passwords, excludes bad users
my %ips;
my %users;
my %successful;
my %failed;
open LOG, "<$dataFile";
open OUT, ">/root/.c9audit.log";
while (<LOG>) {
$line = $_;
next if ($line=~ /^\s*#/); # ignore comment lines
if($line =~ /Failed password for root from .*?(\d+\.\d+\.\d+\.\d+)/)
{
print OUT "FAILED root passwords from IP: $1\n";
if(exists $ips{$1})
{
$ips{$1}++;
}
else
{
$ips{$1} = 1;
}
if(exists $users{$1})
{
$users{$1}++;
}
else
{
$users{$1} = 1;
}
if(exists $failed{$1})
{
$failed{$1}++;
}
else
{
$failed{$1} = 1;
}
$failedCount++;
$badPasswordCount++;
}
elsif($line =~ /Failed password for invalid user (.+) from .*?(\d+\.\d+\.\d+\.\d+)/)
{
print OUT "Invalid user $1 from IP: $2\n";
if(exists $ips{$2})
{
$ips{$2}++;
}
else
{
$ips{$2} = 1;
}
if(exists $users{$1})
{
$users{$1}++;
}
else
{
$users{$1} = 1;
}
if(exists $failed{$1})
{
$failed{$1}++;
}
else
{
$failed{$1} = 1;
}
$failedCount++;
$badUserCount++;
}
elsif($line=~ /Accepted password for (\w+) from .*?(\d*\.\d*\.\d*\.\d*)/
|| $line=~ /Accepted publickey for (\w+) from .*?(\d*\.\d*\.\d*\.\d*)/)
{
print OUT "Successful Logins for $1 from IP: $2\n";
if(exists $ips{$2})
{
$ips{$2}++;
}
else
{
$ips{$2} = 1;
}
if(exists $users{$1})
{
$users{$1}++;
}
else
{
$users{$1} = 1;
}
if(exists $successful{$1})
{
$successful{$1}++;
}
else
{
$successful{$1} = 1;
}
$successCount++;
}
}
print <<"END_OF_MESSAGE" ;
Results of /var/log/secure scan:
(Failed due to bad password: $badPasswordCount)
Failed due to bad user: $badUserCount
+______________
Number of Failed Login Attempts: $failedCount
Number of Successful Root Logins: $successCount\n
Connection Details are:\n
END_OF_MESSAGE
system("/bin/sort /root/.c9audit.log | /usr/bin/uniq -c");
print "\n";
print "Host Details are:\n";
system("hostname");
$IP_eth1 = `ifconfig eth1`;
$IP_eth1 =~ s/.*inet addr:(.*) Bcast:/1/;
print "" . $1 . "\n";
print "\n";
print "Report Date:\n";
system("date +%b-%e-%Y");
close LOG;
close OUT;
It's my first "baby"!
Thanks to spjackson, whom I gave credit to here...
Thank you for your time,
Enjoy.
Bookmarks