#!/bin/bash
# Monitor failed login attempts
set -u

SEND_NTFY="/usr/local/bin/send-ntfy.sh"

# Count failures
FAILED_SSH=$(journalctl -u ssh --since "1 hour ago" 2>/dev/null | grep -c "Failed password" || true)
FAILED_WEB=$(journalctl --since "1 hour ago" 2>/dev/null | grep -c "authentication failure.*pvedaemon" || true)

FAILED_SSH=${FAILED_SSH:-0}
FAILED_WEB=${FAILED_WEB:-0}

TOTAL_FAILED=$((FAILED_SSH + FAILED_WEB))

if [ $TOTAL_FAILED -gt 20 ]; then
    $SEND_NTFY warning "Brute Force Attack" "🟡 WARNING: $TOTAL_FAILED failed logins!\nSSH: $FAILED_SSH, Web: $FAILED_WEB" "warning,lock"
elif [ $TOTAL_FAILED -gt 10 ]; then
    $SEND_NTFY info "Failed Logins" "ℹ️ INFO: $TOTAL_FAILED failed logins\nSSH: $FAILED_SSH, Web: $FAILED_WEB" "lock,info"
fi

logger -t login-monitor "Failed logins: SSH=$FAILED_SSH, Web=$FAILED_WEB"