{"id":17109677,"url":"https://github.com/msimerson/sentry","last_synced_at":"2025-09-25T20:59:29.951Z","repository":{"id":7832656,"uuid":"9204053","full_name":"msimerson/sentry","owner":"msimerson","description":"Bruteforce attack blocker (ssh, FTP, SMTP, and more)","archived":false,"fork":false,"pushed_at":"2021-04-02T19:58:01.000Z","size":68,"stargazers_count":64,"open_issues_count":0,"forks_count":20,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-13T03:43:47.085Z","etag":null,"topics":["blocker","bruteforce-attacks","firewall","sentry","tcpwrappers"],"latest_commit_sha":null,"homepage":"","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/msimerson.png","metadata":{"files":{"readme":"README.md","changelog":"Changes.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-04-03T20:20:49.000Z","updated_at":"2024-08-12T19:11:39.000Z","dependencies_parsed_at":"2022-09-24T05:01:31.276Z","dependency_job_id":null,"html_url":"https://github.com/msimerson/sentry","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/msimerson/sentry","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msimerson%2Fsentry","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msimerson%2Fsentry/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msimerson%2Fsentry/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msimerson%2Fsentry/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/msimerson","download_url":"https://codeload.github.com/msimerson/sentry/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msimerson%2Fsentry/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276982332,"owners_count":25739923,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-25T02:00:09.612Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blocker","bruteforce-attacks","firewall","sentry","tcpwrappers"],"created_at":"2024-10-14T16:24:01.664Z","updated_at":"2025-09-25T20:59:29.912Z","avatar_url":"https://github.com/msimerson.png","language":"Perl","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NAME\n\nsentry - safe and effective protection against bruteforce attacks\n\n# SYNOPSIS\n\n```sh\nsentry --ip=N.N.N.N [ --connect | --blacklist | --whitelist | --delist ]\nsentry --report [--verbose --ip=N.N.N.N ]\nsentry --help\nsentry --update\n```\n\n# ADDITIONAL DOCUMENTATION\n\n* [Install](INSTALL.md)\n* [FAQ](FAQ.md)\n\n# DESCRIPTION\n\nSentry detects and prevents bruteforce attacks against sshd using minimal system resources.\n\n## SAFE\n\nTo prevent inadvertant lockouts, Sentry auto-whitelists IPs that have connected more than 3 times and succeeded at least once. Now that forgetful colleague behind the office NAT router won't get us locked out of our system. Again. Nor the admin whose script just failed to login 12 times in 2 seconds.\n\nSentry includes support for adding IPs to a firewall. Support for IPFW, PF, ipchains is included. Firewall support is disabled by default. Firewall rules may terminate existing session(s) to the host (attn. IPFW users). Get your IPs whitelisted (connect 3x or use --whitelist) before enabling the firewall option.\n\n## SIMPLE\n\nSentry is written in perl, which is installed nearly everywhere you find sshd. It has no\ndependencies. Installation and deployment is extremely simple.\n\n## FLEXIBLE\n\nSentry supports blocking connection attempts using tcpwrappers and several\npopular firewalls. It is easy to extend sentry to support additional\nblocking lists.\n\nSentry was written to protect the SSH daemon but also blocks on FTP and MUA logs. As this was written, the primary attack platform in use is bot nets comprised of exploited PCs on high-speed internet connections. These bots are used for carrying out SSH attacks as well as spam delivery. Blocking bots prevents multiple attack vectors.\n\nThe programming style of sentry makes it easy to insert code for additonal functionality.\n\n## EFFICIENT\n\nThe primary goal of Sentry is to minimize the resources an attacker can steal, while consuming minimal resources itself. Most bruteforce blocking apps (denyhosts, fail2ban, sshdfilter) expect to run as a daemon, tailing a log file. That requires a language interpreter to always be running, consuming at least 10MB of RAM. A single hardware node with dozens of virtual servers will lose hundreds of megs to daemon protection. Sentry uses resources only when connections are made.\n\nOnce an IP is blacklisted for abuse, whether by tcpd or a firewall, the resources it can consume are practically zero.\n\n# REQUIRED ARGUMENTS\n\n- ip\n\n    An IP address. The IP should come from a reliable source that is\n    difficult to spoof. Tcpwrappers is an excellent source. UDP connections\n    are a poor source as they are easily spoofed. The log files of TCP daemons\n    can be good source if they are parsed carefully to avoid log injection attacks.\n\nAll actions except __report__ and __help__ require an IP address. The IP address can\nbe manually specified by an administrator, or preferably passed in by a TCP\nserver such as tcpd (tcpwrappers), inetd, or tcpserver (daemontools).\n\n# ACTIONS\n\n- blacklist\n\n    deny all future connections\n\n- whitelist\n\n    whitelist all future connections, remove the IP from the blacklists,\n    and make it immune to future connection tests.\n\n- delist\n\n    remove an IP from the white and blacklists. This is useful for testing\n    that sentry is working as expected.\n\n- connect\n\n    register a connection by an IP. The connect method will log the attempt\n    and the time. See CONNECT.\n\n- update\n\n    Check the most recent version of sentry against the installed version and update if a newer version is available. This is most reliable when LWP::UserAgent is installed.\n\n# EXAMPLES\n\nSee\n[https://github.com/msimerson/sentry/wiki/Examples](https://github.com/msimerson/sentry/wiki/Examples)\n\n\n# NAUGHTY\n\nSentry has flexible rules for what constitutes a naughty connection. For SSH,\nattempts to log in as an invalid user are considered naughty.\nSee the configuration section in the script related settings.\n\n\n# CONNECT\n\nWhen new connections arrive, the connect method will log the attempt\nand the time. If the IP is white or blacklisted, sentry exits immediately.\n\nNext, sentry checks to see if the IP has been seen more than 3 times. If so,\ncheck the logs for successful, failed, and naughty attempts from that IP.\nIf there are any successful logins, whitelist the IP and exit.\n\nIf there are no successful logins and there are naughty ones, blacklist\nthe IP. If there are no successful and no naughty attempts but more than 10\nconnection attempts, blacklist the IP. See also NAUGHTY.\n\n\n# CONFIGURATION AND ENVIRONMENT\n\nThere is a very brief configuration section at the top of the script. Once\nyour IP is whitelisted, update the booleans for your firewall preference\nand Sentry will update your firewall too.\n\nSentry does NOT make changes to your firewall configuration. It merely adds\nIPs to a table/list/chain. It does this dynamically and it is up to the\nfirewall administrator to add a rule that does whatever you'd like with the\nIPs in the sentry table.\n\nSee also: [PF](https://github.com/msimerson/sentry/wiki/PF)\n\n\n# DIAGNOSTICS\n\nSentry can be run with --verbose which will print informational messages\nas it runs.\n\n# DEPENDENCIES\n\nSentry uses only modules built into perl. Additional modules may be used in\nthe future but Sentry will not depend upon them. In other words, if you extend\nSentry with modules are aren't built-ins, also include a fallback method.\n\n# BUGS AND LIMITATIONS\n\n\nThe IPFW and ipchains code is barely tested.\n\nReport problems to author.\n\n\n# AUTHOR\n\nMatt Simerson (@msimerson)\n\n\n# ACKNOWLEDGEMENTS\n\nThose who came before me: denyhosts, fail2ban, sshblacklist, et al\n\n\n# LICENCE AND COPYRIGHT\n\nCopyright (c) 2015 The Network People, Inc. http://www.tnpi.net/\n\nThis module is free software; you can redistribute it and/or\nmodify it under the same terms as Perl itself. See [perlartistic](http://search.cpan.org/perldoc?perlartistic).\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsimerson%2Fsentry","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmsimerson%2Fsentry","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsimerson%2Fsentry/lists"}