Scripts
Exemple de cron : /etc/cron.d/local-security-check
# vérifications de sécurité MAILTO=root+security@ca.auf.org 0 5 * * * root /usr/local/sbin/security-check-auth-IP-addresses
/usr/local/sbin/security-list-SASL-connections :
# liste des infos (utilisateur:adresse IP) de connexion SASL exec awk ' /sasl_username/ { match($7, /\[.*\]/) ip = substr($7, RSTART+1, RLENGTH-2) user = substr($9,15) print user,ip } ' "$@" | sort | uniq # ip = substr($7,34,length($7)-10) # user = substr($9,15,length($9)-14)/usr/local/sbin/security-check-SASL-IP-addresses :
# recherche des infos de connexion SASL exec awk ' /sasl_username/ { match($7, /\[.*\]/) ip = substr($7, RSTART+1, RLENGTH-2) user = substr($9,15) user_ip[user","ip]++ } END { for (ui in user_ip) { i = index(ui, ",") u = substr(ui, 0, i-1) ip = substr(ui, i+1) user_ips_count[u]++ } for (i in user_ips_count) { if (user_ips_count[i] >= min_count) { print user_ips_count[i]"\t"i } } } ' "$@" | sort -nr/usr/local/sbin/security-list-IMAP-connections :
# recherche des infos de connexion IMAP exec awk ' /Login: user=/ { ip = substr($10,5,length($10)-5) user = substr($8,7,length($8)-8) print user,ip } ' "$@" | sort | uniq/usr/local/sbin/security-check-security-check-IMAP-IP-addresses :
# recherche des infos de connexion IMAP exec awk ' /Login: user=/ { ip = substr($10,5,length($10)-5) user = substr($8,7,length($8)-8) user_ip[user","ip]++ } END { for (ui in user_ip) { i = index(ui, ",") u = substr(ui, 0, i-1) ip = substr(ui, i+1) user_ips_count[u]++ } for (i in user_ips_count) { if (user_ips_count[i] >= min_count) { print user_ips_count[i]"\t"i } } } ' "$@" | sort -nr/usr/local/sbin/security-check-security-check-auth-IP-addresses :
# vérification des authentifications depuis de nombreuses adresses IP MINIMUM=10 cat /var/log/syslog.1 | gawk -v min_count="$MINIMUM" ' /sasl_username/ { match($7, /\[.*\]/) ip = substr($7, RSTART+1, RLENGTH-2) user = substr($9,15) user_ip[user","ip]++ } /Login: user=/ { ip = substr($10,5,length($10)-5) user = substr($8,7,length($8)-8) user_ip[user","ip]++ } END { for (ui in user_ip) { i = index(ui, ",") u = substr(ui, 0, i-1) ip = substr(ui, i+1) user_ips_count[u]++ } for (i in user_ips_count) { if (user_ips_count[i] >= min_count) { print user_ips_count[i]"\t"i } } } ' | sort -nr exit 0