Tuesday, March 14, 2017

snmptrap notification on wrong ssh login attempt

*** information***
snmptrap server: 192.168.58.23
trap agent: 192.168.58.22


*** on server ***
1- install snmptrap

$ sudo apt-get install snmptrapd


2-  use 'public' as the community string, so change the content of /etc/snmp/snmptrapd.conf to the folloing.

authCommunity log,execute,net public
traphandle default /usr/bin/traptoemail -s localhost info@test.mail


3- to run it use the following command
$ sudo snmptrapd -c /etc/snmp/snmptrapd.conf

or to debug

$sudo snmptrapd -D -f -c /etc/snmp/snmptrapd.conf -L o:

*** on client ***
1- install snmp
$ sudo apt-get install snmp

2- use this the following script to check the wrong login attempt and the the snmp trap to the server
import re
import time
import os
filen = "/var/log/auth.log"
f = open(filen, 'r')
while True:
    line = ''
    while len(line) == 0 or line[-1] != '\n':
        tail = f.readline()
        if tail == '':
            time.sleep(0.1)          # avoid busy waiting
            # f.seek(0, io.SEEK_CUR) # appears to be unneccessary
            continue
        line += tail
    #process(line)
    if re.search(r"Failed.password.*ssh2$", line):
    print "wrong attempt"
    os.system("snmptrap -v 2c -c public 192.168.58.23 '' .1.3.6.1.6.3.1.1.5.3  .1.3.6.1.6.3.1.1.5.3  s 'attacked alert'")

*** to test***
1- try to login the host 192.168.58.22 with wrong credential,
then info@test.mail will receive notification email.

below is the email alert


No comments:

Post a Comment