#!/usr/bin/perl -w
# @(#)incoming.pl  2007-08-06  A.J.Travis

#
# Identify incoming login attempts to detect Brute Force attacks
#

unless ( defined( $ARGV[0] ) ) {
    open $log, "/var/log/auth.log";
}
else {
    if ( $ARGV[0] == 0 ) {
        open $log, "/var/log/auth.log.0";
    }
    else {
        open $log, "zcat /var/log/auth.log.$ARGV[0].gz |";
    }
}
unless ($log) {
    die "incoming: can't open $ARGV[0]\n";
}

$temp = "/tmp/incoming.tmp";
open $pipe, "| sort | uniq -c >$temp";
while (<$log>) {
    if (/Accepted/) {
        ( $what, $user, $host ) = (/Accepted (\S+) for (\w+) from ([\d.]+)/);
        unless ( $host =~ /^192\.168\./ ) {
            print $pipe "Accept $what $user $host\n";
        }
    }
    if (/Failed/) {
        ( $what, $user, $host ) = (/Failed (\S+) for (\w+).* from ([\d.]+)/);
        unless ($what) {
            print "can't parse: $_/n";
            exit -1;
        }
        unless ( $host =~ /^192\.168\./ ) {
            print $pipe "Reject $what $user $host\n";
        }
    }
}
close $pipe;

# Output with DNS reverse lookup of host IP
open $in, $temp;
while (<$in>) {
    ( $count, $status, $what, $user, $host ) =
      (/(\d+) (\S+) (\S+) (\w+) ([\d\.]+)/);
    $what =~ s/$/:/;
    $count    = "[" . $count . "]";
    $hostname = `host $host`;
    chomp $hostname;
    ($hostname) = ( $hostname =~ /domain name pointer (.*)\./ );
    unless ($hostname) {
        $hostname = "unknown";
    }
    printf( "%9s %6s %-10s %s@%s (%s)\n",
        $count, $status, $what, $user, $hostname, $host );
}
unlink $temp;