Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/marshyski/sshwatch

Intrusion Prevention System (IPS) for Secure Shell (SSH)
https://github.com/marshyski/sshwatch

Last synced: 3 months ago
JSON representation

Intrusion Prevention System (IPS) for Secure Shell (SSH)

Host: GitHub
URL: https://github.com/marshyski/sshwatch
Owner: marshyski
Created: 2013-05-11T03:56:08.000Z (about 11 years ago)
Default Branch: master
Last Pushed: 2013-07-21T23:12:42.000Z (almost 11 years ago)
Last Synced: 2024-01-20T00:03:21.802Z (5 months ago)
Language: Python
Size: 172 KB
Stars: 41
Watchers: 3
Forks: 9
Open Issues: 0
Metadata Files:
- Readme: README.md

Lists

awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
nixawk-awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
awesome_security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
venom - `sshwatch` - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)

README

        SSHWATCH ``v2.0``

========

Intrusion Prevention System ( **IPS** ) for Secure Shell ( **SSH** ) sourced from https://code.google.com/p/sshwatch/ - [email protected] THANKS HOMIE!

Why use this?

-------------

This project is similar to [DenyHosts][1] but enables better logging using [NMAP][2] and [Dig][3].

Technical Overview

------------------

Continuously tail (subprocess tail -F) the system security logs, searching for a match on "sshd", "Failed password", "Invalid user". With a match, add the source ip to a list. After number of sequentially matched failed attempts, in consecutive order, from the same source ip, under the thresh hold time, puts the source ip in iptables block and nmap/dig is ran. The "clear" value will remove the iptables block at selected interval.

                                            ----------------------

    ----------    --------    ----------- / |iptables Blocks BFer| \

    |        |    |      |    |         |   ----------------------  -----------------

    |SSH BFer| -> |System| -> |sshwatchd|                           |Clear iptables |

    |        |    |      |    |         |   ----------------------  |BFer in 60 mins|

    ----------    --------    ----------- \ |NMAP/dig Probed BFer|  -----------------

                                            |/var/log/nmap.log   |

                                            ----------------------

	BFer = Brute Forcer 

Requirements

------------

  * Linux (Redhat, Debain)

  * root or equivalent 

  * OPENSSH Server

  * Python 2.4+

  * iptables (IPv4)

  * nmap (optional)

  * dig (bind-utils) (optional)

Installation

------------

**From Source**

    git clone https://github.com/marshyski/sshwatch.git

    sshwatch  -> /etc/init.d

    sshwatchd -> /usr/sbin

**From Packages**

    rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only

    dpkg -i sshwatch_2.0_all.deb #Debian only

**Post Install**

    chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd

    chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd

    chkconfig sshwatch on #Redhat only

    /etc/init.d/sshwatch start

Usage

-----

**Variables in sshwatchd**

    thresh   = number of seconds between consecutive attempts, default is 60

    attempts = number of consecutive attempts, default is 4

    clear    = number of seconds elapsed to clear active source blocks, default is 3600

    nmaplog  = nmap probes are logged here, default is /var/log/nmap.log

    nmap     = nmap probe malicious source and stored in nmaplog, default is 0 (off)

**Run in standalone / no-daemon / DEBUG mode**

    ./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian

    ./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 &   #Redhat

Changes from 1.0 to 2.0

-----------

- Block all traffic from an IP not just on source IP / Port 22

- NMAP/Dig source IP and store in /var/log/nmap.log

- Packages, curtisity of [fpm][4] building.

- A rich README ^_^

Help & Feedback

---------------

You can email ([email protected]) me directly if you need help, submit an issue or pull request.  Fork it.

  [1]: http://denyhosts.sourceforge.net/

  [2]: http://nmap.org/

  [3]: http://linux.die.net/man/1/dig

  [4]: https://github.com/jordansissel/fpm