{"id":13508282,"url":"https://github.com/clearlinux/tallow","last_synced_at":"2025-07-06T13:34:27.808Z","repository":{"id":5380277,"uuid":"6567818","full_name":"clearlinux/tallow","owner":"clearlinux","description":"Block hosts that attempt to bruteforce SSH using the journald API.","archived":false,"fork":false,"pushed_at":"2022-11-13T10:35:46.000Z","size":124,"stargazers_count":93,"open_issues_count":8,"forks_count":13,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-03T15:43:38.637Z","etag":null,"topics":["firewall-rules","ssh","ssh-client","ssh-server","systemd-journal"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/clearlinux.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-11-06T19:21:39.000Z","updated_at":"2024-11-19T15:24:41.000Z","dependencies_parsed_at":"2023-01-11T16:47:52.887Z","dependency_job_id":null,"html_url":"https://github.com/clearlinux/tallow","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clearlinux%2Ftallow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clearlinux%2Ftallow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clearlinux%2Ftallow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clearlinux%2Ftallow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/clearlinux","download_url":"https://codeload.github.com/clearlinux/tallow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250748094,"owners_count":21480778,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall-rules","ssh","ssh-client","ssh-server","systemd-journal"],"created_at":"2024-08-01T02:00:50.801Z","updated_at":"2025-04-25T03:32:06.935Z","avatar_url":"https://github.com/clearlinux.png","language":"C","funding_links":[],"categories":["C","others"],"sub_categories":[],"readme":"\ntallow\n======\n\nTallow is a fail2ban/lard replacement that uses systemd's native\njournal API to scan for attempted ssh logins, and issues temporary\nIP bans for clients that violate certain login patterns.\n\nAuthor: Auke Kok \u003cauke-jan.h.kok@intel.com\u003e\n\n\nHow it works\n============\n\nTallow attaches to the journal and subscribes to messages from\n/usr/sbin/sshd. The messages are matched against rules and the IP\naddress is extracted from the message.  For each IP address that is\nextracted, the last timestamp and count is kept. Once the count exceeds\na threshold, the offending IP address is added to an ipset and blocked \nwith a corresponding firewall rule. It will use firewalld or \niptables / ip6tables.\n\nThe timestamp is kept for pruning. Records are pruned from the list\nif the IP address hasn't been seen by tallow for longer than the\nthreshold. If the IP was blocked and the threshold was exceeded,\nthe IP is unblocked. If the threshold was never reached, the record\nis removed as well.\n\nPruning is done automatically after incoming messages are processed,\nso there is a chance that if no messages arrive, that IP addresses\nremain blocked for longer than the default blocking period.\n\n\n\nMotivation\n==========\n\nThis program was originally written to demonstrate the journal API. One\nof the typical use cases for journal (or syslog) readers was to act\ndynamically on certain syslog messages, and many types of actions\ncan be imagined. This is trivial to implement on systems that use\nthe journal API, and often doesn't take much code at all.\n\nThe journal is attached to and forwarder to the end. We place a\nsimple message filter, and then process each incoming message. For\nmore information check out the sd-journal manual pages, which contain\nexample code that demonstrates almost the exact same code flow.\n\n\n\nSecurity\n========\n\nDISCLAIMER: THIS IS NOT A SECURITY APPLICATION !!!\n\nTallow is meant to reduce log clutter and system resource usage at\nthe cost of denying access to potentially valid users.\n\nEven if you reduce the threshold at which clients are blocked to 1,\nan attacker may still gain access to your server if the attacker uses\nthe correct credentials.\n\nBy itself, tallow is an application that creates a Denial\nof Service. It's sole purpose and function is to block IP\naddresses. Therefore, with tallow running on a service, you could\npotentially deny valid users access to your systems if you deploy\ntallow.\n\nBe very careful if you deploy tallow on systems that expect valid\nusers to log on from many random source addresses. If your user\nmistypes their username, they could find themselves denied access.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclearlinux%2Ftallow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fclearlinux%2Ftallow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclearlinux%2Ftallow/lists"}