dtux__sshdetect/main.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <utmp.h>
#include <locale.h>
#include <libgen.h>
#include <libconfig.h>

#define HOSTNAME "localhost"

struct connexion
{
	int pid;
	char cmd[24];
	char cmdline[1000];
	char user[24];
	char hostname[128];
	char host_ip[42];
	char host_ipv6[42];
	char date[60];

};

struct config
{
	char commande[1024];
	char logfile[4096];
	char hostname[128];

};

int explode( char * str, char * separator, size_t m, size_t n, char exploded[m][n] )
{
	char * pch;
	int x=0 ;

	pch = strtok( str, separator );
	while( pch != NULL )
	{
		//printf("%s\n", pch);
		strcpy( exploded[x++], pch) ;
		pch = strtok( NULL , separator );
	}
	return x;
}

// config function
int readconfig( struct config * cfg )
{
	FILE * fh = NULL;
	char path[2][30] = {"/etc/sshdetect.conf", ""};
	int x;
	int retval=0;
	char str[1024];
	char exploded[2][1024];
	char * homepath;
	char * buff;
	char logfilepath[1024];

	homepath = getenv("HOME");
	if ( homepath != NULL )
	{
		sprintf( path[1], "%s%s", homepath, "/.config/sshdetect.conf" );
	}
	sprintf( logfilepath, "%s%s", homepath, "/.locale/share/sshdetect.log");
	for(x=0;x<2;x++)
	{
		if ((fh = fopen( path[x], "r")) == NULL)
		{
			perror(path[x]);
			if(x==1) retval = -1;
		}else
		{
			printf("Found config file: %s\n", path[x]);
			x = 3;
		}
	}
	if (fh != NULL)
	{
		while(fgets(str, 1024, fh) != NULL)
		{
			explode(str, "= \n", 2, 1024, exploded);
			if ( strcmp( exploded[0], "commande") == 0 )
			{
				if ( fopen(exploded[1],"r") != NULL)
				{
					strcpy( cfg->commande, exploded[1] );
					printf("Found command: %s\n", cfg->commande);
				}else
				{
					perror(exploded[1]);
				}
			}else if( strcmp( exploded[0], "logfile") == 0)
			{
				sprintf( logfilepath, "%s%s", homepath, "/.config/sshdetect.log");
				if ( fopen(exploded[1], "a") != NULL )
				{
					strcpy( cfg->logfile, exploded[1] );
				}
			}else if( strcmp( exploded[0], "hostname") == 0 )
			{
				strcpy( cfg->hostname, exploded[1] );
			}
		}
	}
	if ( cfg->logfile[0] == 0 )
	{
		if ( fopen("/var/log/sshdetect.log", "a") != NULL )
		{
			strcpy( cfg->logfile, "/var/log/sshdetect.log" );
		}else if ( fopen(logfilepath, "a") != NULL )
		{
			strcpy( cfg->logfile, logfilepath );
		}else
		{
			perror(logfilepath);
			strcpy(cfg->logfile, "/dev/null");
			retval += 2;
		}
	}
	if (cfg->hostname[0] == 0 )
	{
		buff = getenv("HOSTNAME");
		if ( buff  != NULL)
		{
			strcpy(cfg->hostname, buff);
		}else
		{
			strcpy(cfg->hostname, HOSTNAME);
		}
	}
	if (cfg->commande[0] == 0)
	{
		printf("command not found: no command will be executed");
		retval += 4;
	}
	return retval;
}

//test if pid is in lsit of known sshd processus
int isinarray( int pid, int array[], int n )
{
	//if (n == 0) return 0;
	int x;
	for(x=1;x<=n;x++)
	{
		if( pid == array[x])
		{
			return x;
		}
	}	return 0;
}

char* frtime(const time_t timet)
{
	struct tm *date_tm;
	static char result[40];

	date_tm = localtime(&timet);
	strftime(result, 40, "%c", date_tm);
	return result;
}

//get utmp datas
void getutmp( struct connexion * conn, time_t * time )
{
	struct utmp * utmp;
	int ipv6;
	int ipv4;
	int x;
	char str[6];
	conn->host_ip[0]='\0';
	conn->host_ipv6[0]='\0';
	setutent();
	while (	(utmp = getutent()) != NULL )
	{
		if ( utmp->ut_pid == conn->pid )
		{
			sprintf(conn->user, "%s", utmp->ut_user);		//got user login
			sprintf(conn->hostname, "%s", utmp->ut_host);	//got ip of origin
			if((utmp->ut_addr_v6[1] && utmp->ut_addr_v6[2] && utmp->ut_addr_v6[3]) == 0)
			{
				ipv4 =  utmp->ut_addr_v6[0] & 0x00000000000000ff;
				sprintf( str, "%d.", ipv4);
				strcat(conn->host_ip, str);
				ipv4 =  (utmp->ut_addr_v6[0] & 0x000000000000ff00) >> 8;
				sprintf( str, "%d.", ipv4);
				strcat(conn->host_ip, str);
				ipv4 =  (utmp->ut_addr_v6[0] & 0x0000000000ff0000) >> 16;
				sprintf( str, "%d.", ipv4);
				strcat(conn->host_ip, str);
				ipv4 =  (utmp->ut_addr_v6[0] & 0x00000000ff000000) >> 24;
				sprintf( str, "%d", ipv4);
				strcat(conn->host_ip, str);
			}else
			{
				for (x=0;x<4;x++)
				{
					ipv6 = utmp->ut_addr_v6[x] & 0x000000000000ffff;
					sprintf( str, "%x:", ipv6);
					strcat(conn->host_ipv6, str);
					ipv6 = (utmp->ut_addr_v6[x] & 0x00000000ffff0000) >> 16;
					sprintf( str, "%x:", ipv6);
					strcat(conn->host_ipv6, str);
					ipv6 = (utmp->ut_addr_v6[x] & 0x0000ffff00000000) >> 32;
					sprintf( str, "%x:", ipv6);
					strcat(conn->host_ipv6, str);
					ipv6 = (utmp->ut_addr_v6[x] & 0xffff000000000000) >> 48;
					sprintf( str, "%x:", ipv6);
					strcat(conn->host_ipv6, str);
				}
				conn->host_ipv6[strlen(conn->host_ipv6)-1] = '\0';
			}
			*time = (time_t) utmp->ut_tv.tv_sec;	//got connexion time
			break;
		}
	}
	endutent();
}

//replace null characters by space
int null2space( char str[] )
{
	int flag =0;
	int x = 0;

	while ( flag == 0 )
	{
		if ( (int) str[x] == 0 )
		{
			if ( (int) str[x+1] != 0 )
			{
				str[x] = ' ';
			}elsemv /etc/ssh/sshrc /etc/ssh/sshrc.old

			{
				flag = 1;
			}
		}
		x++;
	}
	return x-1 ;
}

// get the childs pids
int getpids(int pid, int exploded[])
{
	FILE *fh;
	char * pch;
	char path[1024];
	char str[4096];
	char separator[] = " ";
	int x = 0;

	sprintf( path, "/proc/%d/task/%d/children", pid,pid);
	//printf("  %s", proc_path);
	if ((fh = fopen( path, "r")) == NULL)
	{
		perror(path);
		return -1;
	}
	if ( fgets( str, 40, fh ) != NULL )
	{
		pch = strtok( str, separator );
		while( pch != NULL )
		{
			//printf("%s\n", pch);
			exploded[x++] = atoi( pch  );
			pch = strtok( NULL , separator );

		}

		fclose(fh);
		return x;
	}else
	{
		fclose(fh);
		return -1;
	}
}

int getprocinfo( struct connexion * conn )
{
	FILE *fh1;
	char child_path[128];
	char str[1024];
	int child_pid[10];
	int flag = 0;
	int r;
	int level = 0;
	int retval = 0;
	char tab[128];
	time_t  timet=0;

	//get connexion time
	getutmp( conn, &timet );
	if ( timet == 0)
	{
		time( &timet );
	}
	sprintf( conn->date, "%s", frtime(timet) );

	//get the pid of the last processus
	while ( flag == 0)
	{
		r = getpids( conn->pid, child_pid );
		if( level == 0 && r == 2 )
		{
			flag = 1;
			retval = -1;
		}else if ( r != -1 )
		{
			level++;
			strcat(tab,"    ");
			conn->pid = child_pid[0];
		}else
		{
			flag = 1;
		}
	}

	// get the command parameters
	sprintf( child_path, "/proc/%d/cmdline", conn->pid );
	if ( (fh1= fopen( child_path, "r" )) == NULL)
	{
		perror(child_path);
		return 2;
	}
	fgets( str, 1024, fh1);
	null2space( str );
	sprintf(conn->cmdline, "%s", str);
	fclose(fh1);
	// get the command name
	sprintf( child_path, "/proc/%d/comm", conn->pid );
	if ( (fh1= fopen(child_path, "r" )) == NULL)
	{
		perror(child_path);
		return 3;
	}
	fscanf( fh1, "%s", conn->cmd );
	fclose(fh1);
	return retval;
}

int main()
{
	FILE *fh = NULL;
	FILE *fh1;
	int n_ssh=10;
	int id;
	int pid;
	int x=0;
	int y=0;
	int r=0;
	int i;
	int j;
	int n;
	int start=1;
	int childrens[n_ssh];
	int pids[n_ssh];
	int flag[n_ssh];
	int rinfo;
	int status;
	char ip[42]="";
	char str[1024];
	char date[60];
	time_t now = 0;
	char * language;
	char * buff;
	struct connexion conn;
	struct connexion connexions[n_ssh];
	struct config cfg = {"","",""};
	//char * ptr;

	readconfig( &cfg );

	//localizing
	if ( (language = getenv("LANGUAGE")) != NULL)
	{
		strtok (language, ":");
	}else if ( (language = getenv("LC_ALL")) == NULL )
	{
		language="";
	}
	setlocale(LC_ALL,language);

	time( &now );
	sprintf( date, "%s", frtime(now));
	if ( (fh = fopen(cfg.logfile, "a")) == NULL)
	{
		perror(cfg.logfile);
		return 7;
	}
	fprintf(fh, "%s: Démarrage de sshdetect\n", date);
	fclose(fh);
	sprintf( str, "%s \"%s - %s: Démarrage de sshdetect\"", cfg.commande, cfg.hostname, date );
	id=fork();
	if(id == 0)
	{
		if (cfg.commande[0] != 0)
		{
			r = system( str );
		}else
		{
			printf("no command defined: no command launched\n");
		}

		exit(r);
	}else if( id<0 )
	{
		printf("erreur de création du fork: %s\n", str);
	}

	while (1)
	{
		// get the sshd process ID (PID)
		if ( (fh = fopen("/run/sshd.pid", "r" )) == NULL)
		{
			perror("/run/sshd.pid");
			return 1;
		}
		if ( fscanf(fh, "%i", &pid) == 0)
		{
			printf("erreur fscanf: /run/sshd.pid\n" );
			return 10;
		}
		fclose(fh);
		//printf("%i", pid);

		//get the list of children
		if ( (n=getpids( pid, pids )) != -1)
		{
			for ( y=0; y<n; y++)
			{
				pid = pids[y];
				r = isinarray(pid, childrens, x);
				if( r == 0 )
				{
					conn.user[0]='\0';
					conn.pid=pid;
					rinfo = getprocinfo( &conn );
					if( rinfo == 0 )
					{
						if (conn.host_ip[0] != '\0')
						{
							strcpy(ip,conn.host_ip);
						}else if (conn.host_ipv6[0] != '\0')
						{
							strcpy(ip,conn.host_ipv6);
						}
						x++;
						childrens[x] = pid;
						flag[x] = 1;
						connexions[x] = conn;
						// date of connexion

						if (conn.user[0] == '\0')
						{
							sprintf( str, "%s \"%s: tunnel ouvert le %s depuis %s avec la commande: %s %s\"", cfg.commande, cfg.hostname, conn.date, ip, conn.cmd, conn.cmdline );
						}else
						{
							sprintf( str, "%s \"%s: %s s'est connecté le %s depuis %s avec la commande: %s %s\"", cfg.commande, cfg.hostname, conn.user, conn.date, ip, conn.cmd, conn.cmdline );
						}
						if ( start != 1 )
						{
							id=fork();
							if(id > 0)
							{
								if ( (fh1 = fopen(cfg.logfile, "a")) == NULL)
								{
									perror(cfg.logfile);
									return 7;
								}
								fprintf(fh1, "%s: Connexion de %s depuis %s commande: %s %s\n", conn.date, conn.user, ip, conn.cmd, conn.cmdline);
								fclose(fh1);
							}else if (id < 0)
							{
								printf("erreur de création du fork: %s\n", str);
							}else
							{
								if (cfg.commande[0] != 0)
								{
									printf("%s\n", str);
									r = system( str );
								}else
								{
									printf("no command defined: no command launched\n");
								}
								exit(r);
							}
						}else
						{
							if ( (fh1 = fopen(cfg.logfile, "a")) == NULL)
							{
								perror(cfg.logfile);
								return 7;
							}
							fprintf(fh1, "%s: %s Connecté depuis %s - %s  %s\n", conn.date, conn.user, ip, conn.cmd, conn.cmdline);
							fclose(fh1);
						}
					}else if (rinfo == -1)
					{

						printf("%i => 2 pids : en cours de connexion\n", conn.pid);
					}
				}else
				{
					flag[r] = 1;
				}
			}
			for(i=1;i<=x;i++)
			{
				if (flag[i] == 0 )
				{
					time( &now );
					sprintf( date, "%s", frtime(now) );
					printf( "Session %d de %s terminée le %s\n", connexions[i].pid, connexions[i].user, date );
					if ( (fh1 = fopen(cfg.logfile, "a")) == NULL)
					{
						perror(cfg.logfile);
						return 7;
					}
					fprintf(fh1, "%s: pid %d -Connexion de %s terminée le %s\n", cfg.hostname, connexions[i].pid, connexions[i].user, connexions[i].date);
					for( j=i; j<x; j++ )
					{
						childrens[j] = childrens[j+1];
						flag[j] = flag[j+1];
					}
					i--;
					x--;
				}else
				{
					flag[i] = 0;
				}
			}
			sleep(2);
			waitpid(-1, &status ,WNOHANG);
		}
		start = 0;
	}
	return 0;
}