#!/usr/local/bin/bash # # LOGMAIL # quick parser for apache logs to check user logins # # Basically it checks the users who have logged in and matches up # their IP addresses to Class B networks. If they have logged in on # more than a set amount of Class B networks, then they are flagged # as an abusive user. # # This is very useful for sites that require user authentication, but # also suffer from password-sharing, user account comprimise and other # security concerns. Use this to keep tabs on those rascals! # # # Works with standard apache access.log log files. # # # Script works well with this crontab entry: # 50 23 * * * /path/to/LOGMAIL >/dev/null 2>&1 # # allows it to run at 11:50pm every night, to check the logins # for the full day before, and send an email if anything is found. # # # # Zoidial Inc. # Eric Thern eric NOSPAM(at) zoidial.com # March, 2002 # # # Author absolutely 100% not responsible for anything this script does. # Standard disclaimers apply. # ### ### variables ### # full path to log, including log name LOG=/path/to/access.log # number of class B networks to allow a user to log in with in a given day CLASSB=3 # email of user to recieve these alerts EMAIL=your@email.addy # abuse name and address for the bottom of the email ABUSEINFO="Eric Thern, abuse (AT).. zoidial.com" # todays date DATE=`date "+%d/%b/%Y"` # you can manually tweak it here, if you so wish, to get back-logged emails (would be stupid, though...) # DATE="18/Mar/2002" ### ### get the abusive users from the log ### ABUSIVEUSERS=`cat $LOG | grep $DATE | awk '{ if ( $3 != "-" ) print $1 "\t" $3 "\t" $9}' | awk '{if ($3 != "401") print $1 "\t" $2}' | sort -k 2 |uniq -c | awk '{print $3 "\t" $2 }' | cut -d. -f 1,2 | uniq -c | awk '{print $2}'| uniq -c | awk '{if ($1 > '$CLASSB') print $2}'` ### ### set "TEST" to be a portion of $ABUSIVEUSERS in order to allow an 'if' statement test. ### this is to keep a one-line variable, the if statement dies if there is more than that. ### TEST=`echo ${ABUSIVEUSERS:0:1}` ### ### check to see if we have output at all. If so, then send out a mail about it!! ### if [ $TEST != "" ] then # email stuff echo " The following email is automatically generated by a script that parses the webserver logs every day. LOG USED: $LOG DATE: $DATE Number of class B's permitted per day: $CLASSB What is a class B? -- a typical IP address looks like 10.21.124.214, a class B is 10.21.0.0, the last two digits of the dotted quad notation. Most ISP's have class C's (10.21.124.0) which is the last digit of dotted quad. This means that if a user logs in with many different class B's, most likely they are on different ISP's, and therefor they are probably not the proper user, and should not have access. This script parses the logfile mentioned above and checks to see how many times a given user logs in from a certain number of Class B networks (the permitted number is shown above). The script only parses once per day, and only checks todays logs. This assures you that the following users have logged into the website with more than $CLASSB Class B addresses within one day, and have gained access to the website. This is typically a sign of a comprimised user account, please take care of this at your earliest convenience. LIST OF ABUSIVE USERS: ====================== $ABUSIVEUSERS ====================== Questions about this abuse, or this email/script should be forwarded to: $ABUSEINFO " | mail -s "LOGCHECK for $DATE -- Abusive user alert!" $EMAIL; else exit 0; fi