#!/bin/bash
#Written Andrew Stringer, 01/08/2014 onwards
#Check for excessive hits on Expose website
 
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
 
#SSHID is the -i cert file to use for passwordess login
SSHID='/home/nagios/.ssh/nagios_dsa'
SERVER='app.company.int'
SEGMENT='/home/nagios/ssl-segment.log'
 
#This is for YOUR site ipaddresses or other whitelisted addresses, pipe seperated list
EXCLUDEIP='22.129.88.5|22.45.119.102'
 
#Excude some addresses which correspond to whitelist site addresses.
IPADDRESS=`ssh -q  -i ${SSHID} ${SERVER} cat ${SEGMENT} | cut -d ' ' -f 1 |sort |uniq -c|sort -n | egrep -v "${EXCLUDEIP}" | tail -1 `
 
 
HITS=`echo ${IPADDRESS}|awk '{ print $1 }'`
SOURCE=`echo ${IPADDRESS}|awk '{ print $2 }'`
if [[ $HITS -ge 1800 ]]
then
echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};1200;1800"
exit ${STATE_CRITICAL}
fi
if [[ $HITS -ge 1200 ]]
then
echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};1200;1800"
exit ${STATE_WARNING}
fi
echo "Insufficent hits from a single IP to trigger alert. | HITS=${HITS};1200;1800"
exit ${STATE_OK}