#!/bin/sh 
# Read the log files depending on $1 (PREF)
# Read all of the IPs concerned, search countries and count them.  
# exec crontab 2h AM for previous day

EXECDIR="/usr/share/xt_geoip"
STATDIR="/var/lib/xt_geoip"

case $1 in
    "ssh")
        PREF="ssh"
        LOGDIR="/var/log/sshd"
        CMD1='cat'
        CMD2=' | /usr/local/bin/tai64nlocal | grep'
        CMD3=' | grep -E "(Failed password|Invalid user \w+ from)" | sed -e "s/^.*from //" -e "s/ port.*$//" >> $RESFILE'
    ;;
    "ipt")
        PREF="ipt"
        LOGDIR="/var/log/iptables"
        CMD1='cat'
        CMD2=' | /usr/local/bin/tai64nlocal | grep '
        CMD3=' | grep "GeoIP BAN" | sed -e "s/^.*SRC=//" -e "s/ DST=.*$//" >> $RESFILE'
    ;;
    *)
        echo "usage : $0 [ssh|ipt|....]"
        exit 1
    ;;
esac
# files of the day
RESFILE="$STATDIR/${PREF}_ip.lst"
RES2FILE="$STATDIR/${PREF}_country.lst"
# permanent files
BASEFILE="$STATDIR/Base_${PREF}_ip.lst"
BASE2FILE="$STATDIR/Base_${PREF}_country.lst"
# tempo
TMPFILE=$(mktemp $STATDIR/xt_${PREF}.XXXXXXX)
# Day - 1
DATE=$(date --date '1 day ago' '+%Y-%m-%d')

cd $EXECDIR

# yesterday already in base ?
if  [ -f $BASEFILE ]
then
    if (fgrep $DATE $BASEFILE > /dev/null 2>&1)
    then 
        echo "$0 : $PREF already run for that date. Please verify this !"
        exit 1
    fi
fi

cp /dev/null $RESFILE

# All logfiles update for 2 days, not empty
for file in $(find $LOGDIR/* -type f -mtime -2 -size +50c)
do
    #echo $(echo $CMD1 $file $CMD2 "$DATE" $CMD3)
    eval $(echo $CMD1 $file $CMD2 "$DATE" $CMD3)
done

# number of incidents by IP, sorted by IP
awk  -F ";" -v OFS=";" \
 '{t[$1]=$1; t1[$1]+=1} END {for(n in t) print t[n], t1[n]}' $RESFILE | sort -t ";" -n -k 1 > $TMPFILE

# +date, +country code
awk -F ";" -v v1=$DATE -v OFS=";" \
'{ printf "%s",v1 ";" $0 ";"; system("./geoip_look " $1) }' $TMPFILE > $RESFILE

# number of incidents by country code, sorted reverse by number
awk -F ";" -v v1=$DATE -v OFS=";" \
 '{t[$4]=$4; t1[$4]+=$3} END {for(n in t) print v1, t[n], t1[n]}' $RESFILE | sort -t ";" -k 3 -r -n > $RES2FILE

rm -f $TMPFILE

# concatenate into bases
cat $RESFILE >> $BASEFILE
cat $RES2FILE >> $BASE2FILE

# delete files of today
#rm -f $RESFILE $RES2FILE

# for mail
if [ -s $RES2FILE ]
then
    echo "parse $LOGDIR for $PREF events"
    cat $RES2FILE
fi

