dicko mentioned in a post that the access_log has the information of who access what and when. Looking around I was able to write this script that will do the purpose of monitoring users’ access by IP. In my situation, I have limited IP that I access the FreePBX from. Hence, this script should do it for me.
#!/bin/bash
email="[email protected]"
myips=("IP1" "IP2" "IP3" "IP4")
accessip=`sudo cat /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20`
deniedip=`sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' |sort|uniq |sort -nr|more`
failedpasswordip=`sudo cat /var/log/secure | grep "Failed password" |cut -f 11 -d ' '|sort|uniq |sort -nr`
failedauthip=`sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = |sort|uniq |sort -nr`
readarray -t uniqueaccessip < <( \
comm -23 \
<(printf '%s\n' "${accessip[@]}" | sort) \
<(printf '%s\n' "${myips[@]}" | sort) \
)
if [ ${#uniqueaccessip[@]} -gt 0 ]; then
(echo "Subject: UNKNOWN IP ACCESS"
printf "Unknow accress from ${uniqueaccessip[*]}"
) | /usr/sbin/sendmail ${email}
fi
readarray -t uniquedeniedip < <( \
comm -23 \
<(printf '%s\n' "${deniedip[@]}" | sort) \
<(printf '%s\n' "${myips[@]}" | sort) \
)
if [ ${#uniquedeniedip[@]} -gt 0 ]; then
(echo "Subject: DENIED IP ACCESS"
printf "Denied accress from ${uniquedeniedip[*]}"
) | /usr/sbin/sendmail ${email}
fi
if [ ${#failedpasswordip[@]} -gt 0 ]; then
(echo "Subject: FAILED PASSWORD"
printf "Failed password attempt from ${failedpasswordip[*]}"
) | /usr/sbin/sendmail ${email}
fi
if [ ${#failedauthip[@]} -gt 0 ]; then
(echo "Subject: FAILED AUTHENTICATION"
printf "Failed authentication attempt from ${failedauthip[*]}"
) | /usr/sbin/sendmail ${email}
fi
Slightly modified version of the above script.
#!/bin/bash
email="[email protected]"
myips=("IP1" "IP2" "IP3" "IP4")
accessip=`sudo cat /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20`
deniedip=`sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' | sort | uniq | sort -nr | more`
failedpasswordip=`sudo cat /var/log/secure | grep "Failed password" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | cut -f 11 -d ' '| sort | uniq | tr '\n' ' ' | sort -nr`
failedauthip=`sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = | sort | uniq | tr '\n' ' ' | sort -nr`
readarray -t uniqueaccessip < <( \
comm -23 \
<(printf '%s\n' "${accessip[@]}" | sort) \
<(printf '%s\n' "${myips[@]}" | sort) \
)
readarray -t uniquedeniedip < <( \
comm -23 \
<(printf '%s\n' "${deniedip[@]}" | sort) \
<(printf '%s\n' "${myips[@]}" | sort) \
)
if [ ${#uniqueaccessip[@]} -gt 0 ]; then
(
echo "Unknow accress from: ${uniqueaccessip[*]}" > /tmp/acceessmonitor/uniqueaccessip.txt
)
fi
if [ ${#uniquedeniedip[@]} -gt 0 ]; then
(
echo "Denied accress from: ${uniquedeniedip[*]}" > /tmp/acceessmonitor/uniquedeniedip.txt
)
fi
if [ ${#failedpasswordip[@]} -gt 0 ]; then
(
echo "Failed password attempt from: ${failedpasswordip[*]}" > /tmp/acceessmonitor/failedpasswordip.txt
)
fi
if [ ${#failedauthip[@]} -gt 0 ]; then
(
echo "Failed authentication attempt from: ${failedauthip[*]}" > /tmp/acceessmonitor/failedauthip.txt
)
fi
cat /tmp/acceessmonitor/uniqueaccessip.txt /tmp/acceessmonitor/uniquedeniedip.txt /tmp/acceessmonitor/failedpasswordip.txt /tmp/acceessmonitor/failedauthip.txt > /tmp/acceessmonitor/ac$
A=`comm -23 <(sort /tmp/acceessmonitor/accessmonitor1.txt) <(sort /tmp/acceessmonitor/accessmonitor2.txt) | wc -l`
B=`comm -23 /tmp/acceessmonitor/accessmonitor1.txt /tmp/acceessmonitor/accessmonitor2.txt`
cp /tmp/acceessmonitor/accessmonitor1.txt /tmp/acceessmonitor/accessmonitor2.txt
if [ "$A" -gt 0 ]; then
(
echo "Subject: [FREEPBX]: ACCESS ALERT"
printf "$B"
) | /usr/sbin/sendmail ${email}
fi
The modified version will do the following:
- Set trusted IPs
- Look at var/log/httpd/access_log for all IPs that accessed your FreePBX and compare them to the trusted IPs if there is unknown IP then will sent email alert.
- Fail2ban will send email alert if an IP is banned. To otherwise get IP of suspicious activities, will monitor /var/log/httpd/access_log and /var/log/httpd/error_log for any denied access, failed password or failed authentication
- to avoid Alert fatigue. The script will send alert once for each IP.
- Save the file somewhere like /usr/ipmonitor.sh
- chmod +x /usr/ipmonitor.sh
- Put in crontab
My question is will “/var/log/secure” access information pass to “/var/log/httpd/access_log”? i.e. do I need to work on “/var/log/secure”?
Thanks in advance.