===== Check for top ipaddresses hitting Expose =====

<code bash>
#!/bin/bash
#Written Andrew Stringer, 01/08/2014 onwards
#Check for excessive hits on Expose website

STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2

#SSHID is the -i cert file to use for passwordess login
SSHID='/home/nagios/.ssh/nagios_dsa'
SERVER='app.company.int'
SEGMENT='/home/nagios/ssl-segment.log'

#This is for YOUR site ipaddresses or other whitelisted addresses, pipe seperated list
EXCLUDEIP='22.129.88.5|22.45.119.102'

#Excude some addresses which correspond to whitelist site addresses.
IPADDRESS=`ssh -q  -i ${SSHID} ${SERVER} cat ${SEGMENT} | cut -d ' ' -f 1 |sort |uniq -c|sort -n | egrep -v "${EXCLUDEIP}" | tail -1 `


HITS=`echo ${IPADDRESS}|awk '{ print $1 }'`
SOURCE=`echo ${IPADDRESS}|awk '{ print $2 }'`
if [[ $HITS -ge 1800 ]]
then
echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};1200;1800"
exit ${STATE_CRITICAL}
fi
if [[ $HITS -ge 1200 ]]
then
echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};1200;1800"
exit ${STATE_WARNING}
fi
echo "Insufficent hits from a single IP to trigger alert. | HITS=${HITS};1200;1800"
exit ${STATE_OK}
</code>