cclogconvにccオプションを追加しました

私の迷作であるcclogconvを皆様はご存知でしょうか。

https://github.com/rhykw/cclogconv

IPアドレスを含むテキストを食べさせると、IPアドレスと思しき項目のお隣に国コードを追加して吐き出してくれるソフトです。

個人的には重宝しています。
使い方はこんな感じ。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ grep -F "Failed password for" /var/log/secure | cclogconv --data /usr/share/GeoIP/GeoLite2-Country.mmdb

Oct 15 04:16:09 secure sshd[2133]: Failed password for admin from US 199.106.88.54 port 52696 ssh2
Oct 15 05:48:39 secure sshd[2505]: Failed password for invalid user nologin from CN 59.52.97.130 port 48748 ssh2
Oct 15 05:48:42 secure sshd[2508]: Failed password for root from CN 59.52.97.130 port 49062 ssh2
Oct 15 05:48:45 secure sshd[2511]: Failed password for invalid user oracle from CN 59.52.97.130 port 49452 ssh2
Oct 15 05:48:48 secure sshd[2514]: Failed password for invalid user nagios from CN 59.52.97.130 port 49793 ssh2
Oct 15 07:58:40 secure sshd[2925]: Failed password for admin from SR 200.1.214.58 port 38206 ssh2
Oct 15 09:00:10 secure sshd[2969]: Failed password for admin from PE 190.81.112.20 port 44984 ssh2
Oct 15 09:00:15 secure sshd[2972]: Failed password for root from PE 190.81.112.20 port 45100 ssh2
Oct 15 09:00:19 secure sshd[2975]: Failed password for admin from PE 190.81.112.20 port 45248 ssh2
Oct 15 09:56:27 secure sshd[3071]: Failed password for admin from US 158.69.195.223 port 64495 ssh2
Oct 15 09:56:33 secure sshd[3074]: Failed password for admin from US 158.69.195.223 port 65218 ssh2
Oct 15 09:56:40 secure sshd[3077]: Failed password for admin from US 158.69.195.223 port 50492 ssh2
Oct 15 09:56:55 secure sshd[3083]: Failed password for invalid user support from US 158.69.195.223 port 51393 ssh2
Oct 15 09:57:01 secure sshd[3086]: Failed password for ftp from US 158.69.195.223 port 54395 ssh2
Oct 15 09:57:09 secure sshd[3089]: Failed password for invalid user user from US 158.69.195.223 port 55821 ssh2
Oct 15 09:57:15 secure sshd[3092]: Failed password for invalid user nagios from US 158.69.195.223 port 57833 ssh2

199.106.88.5459.52.97.130 の左側に国コードが追加されています。

この cclogconv に本日新しいオプションを追加しました。

1
2
3
4
5
6
7
8
9
10
$ grep -F "Failed password for" /var/log/secure | cclogconv --data /usr/share/GeoIP/GeoLite2-Country.mmdb --cc US

Oct 15 04:16:09 secure sshd[2133]: Failed password for admin from US 199.106.88.54 port 52696 ssh2
Oct 15 09:56:27 secure sshd[3071]: Failed password for admin from US 158.69.195.223 port 64495 ssh2
Oct 15 09:56:33 secure sshd[3074]: Failed password for admin from US 158.69.195.223 port 65218 ssh2
Oct 15 09:56:40 secure sshd[3077]: Failed password for admin from US 158.69.195.223 port 50492 ssh2
Oct 15 09:56:55 secure sshd[3083]: Failed password for invalid user support from US 158.69.195.223 port 51393 ssh2
Oct 15 09:57:01 secure sshd[3086]: Failed password for ftp from US 158.69.195.223 port 54395 ssh2
Oct 15 09:57:09 secure sshd[3089]: Failed password for invalid user user from US 158.69.195.223 port 55821 ssh2
Oct 15 09:57:15 secure sshd[3092]: Failed password for invalid user nagios from US 158.69.195.223 port 57833 ssh2

--cc 国コード で該当の国のIPアドレスを含む行のみに絞って出力します。

自己満足ソフトではありますが、一度使ってみてください。

国の判定データはMaxMind社のプロダクトを利用しています。
MaxMindDBの読み込み部分は oschwald さんの geoip2-golang を使用しています。