bnmbertsdfsdfluiluiluiluiluiluiltdfg

hjkhhrteuiluiliuuiluiluiluilrtrt bnmbertsdfsdfluiluiluiluiluiluiltdfg

#!/bin/bash

ip_exclude_list="194.31.54.38 67.131.22.114 70.166.205.153 103.135.95.126 103.141.55.2 103.186.234.0/24 199.117.154.2 199.117.154.7 103.186.234.3"

notification_email="alerts@orangehost.com"
who_file="/tmp/who_file"
last_user_time_stamp="/tmp/last_ssh_user_time_stamp"

# Ensure this script only runs for the root user
if [ $(id -u) -eq 0 ]; then

touch $last_user_time_stamp
    who > $who_file

# Extract current user IP
    if [ ! -z "$SSH_CLIENT" ]; then
        current_user_ip=$(echo $SSH_CLIENT | awk '{print $1}')
    else
        current_user_ip=$(last -i | egrep -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | head -1)
    fi

# Function to check if the IP is in the exclude list
    count_known_access() {
        ip_check_count=0
        for ip_addr in $ip_exclude_list; do
            if [ "$ip_addr" == "$current_user_ip" ]; then
                ip_check_count=$((ip_check_count + 1))
            fi
        done
    }

# Check if the current login is a new session and not from an excluded IP
    current_login_ip=$(last -i | egrep -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | head -1)
    current_login_time_raw=$(last -i | grep "$current_login_ip" | head -1 | awk '{print $4" "$5" "$6" "$7}')
    
    # Convert the login time to Unix timestamp. Handle case where date conversion fails.
    current_login_time_unix=$(date --date="$current_login_time_raw" +%s 2>/dev/null)
    if [ -z "$current_login_time_unix" ]; then
        # Skip if date conversion fails
        exit 0
    fi

last_login_time_unix=$(cat $last_user_time_stamp)
    if [ -z "$last_login_time_unix" ]; then
        last_login_time_unix=0
    fi

send_mail_notification() {
        count_known_access

if [ "$current_login_time_unix" -ne "$last_login_time_unix" ] && [ $ip_check_count -eq 0 ] && [ -n "$current_user_ip" ]; then
            echo -e "\nRoot access detected in server: $(hostname) on $(date -u) from the IP: $current_user_ip\n" \
                "Details of currently logged in users is given below\n$(cat $who_file)\n\n" \
                "Details of recent access from the IP: $current_user_ip is given below\n$(last -i | grep $current_user_ip | head -5)" \
                | mail -s "Root access in $(hostname) from IP: $current_user_ip" $notification_email
            echo $current_login_time_unix > $last_user_time_stamp
        fi
    }

send_mail_notification
fi