Tuesday, March 14, 2017

snmptrap notification on wrong ssh login attempt

*** information***
snmptrap server:
trap agent:

*** on server ***
1- install snmptrap

$ sudo apt-get install snmptrapd

2-  use 'public' as the community string, so change the content of /etc/snmp/snmptrapd.conf to the folloing.

authCommunity log,execute,net public
traphandle default /usr/bin/traptoemail -s localhost info@test.mail

3- to run it use the following command
$ sudo snmptrapd -c /etc/snmp/snmptrapd.conf

or to debug

$sudo snmptrapd -D -f -c /etc/snmp/snmptrapd.conf -L o:

*** on client ***
1- install snmp
$ sudo apt-get install snmp

2- use this the following script to check the wrong login attempt and the the snmp trap to the server
import re
import time
import os
filen = "/var/log/auth.log"
f = open(filen, 'r')
while True:
    line = ''
    while len(line) == 0 or line[-1] != '\n':
        tail = f.readline()
        if tail == '':
            time.sleep(0.1)          # avoid busy waiting
            # f.seek(0, io.SEEK_CUR) # appears to be unneccessary
        line += tail
    if re.search(r"Failed.password.*ssh2$", line):
    print "wrong attempt"
    os.system("snmptrap -v 2c -c public '' .  .  s 'attacked alert'")

*** to test***
1- try to login the host with wrong credential,
then info@test.mail will receive notification email.

below is the email alert

No comments:

Post a Comment