Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/marshyski/sshwatch
Intrusion Prevention System (IPS) for Secure Shell (SSH)
https://github.com/marshyski/sshwatch
Last synced: 3 months ago
JSON representation
Intrusion Prevention System (IPS) for Secure Shell (SSH)
- Host: GitHub
- URL: https://github.com/marshyski/sshwatch
- Owner: marshyski
- Created: 2013-05-11T03:56:08.000Z (about 11 years ago)
- Default Branch: master
- Last Pushed: 2013-07-21T23:12:42.000Z (almost 11 years ago)
- Last Synced: 2024-01-20T00:03:21.802Z (5 months ago)
- Language: Python
- Size: 172 KB
- Stars: 41
- Watchers: 3
- Forks: 9
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Lists
- awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- nixawk-awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- awesome_security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- awesome-security - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
- venom - `sshwatch` - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. (Network / IDS / IPS / Host IDS / Host IPS)
README
SSHWATCH ``v2.0``
========
Intrusion Prevention System ( **IPS** ) for Secure Shell ( **SSH** ) sourced from https://code.google.com/p/sshwatch/ - [email protected] THANKS HOMIE!Why use this?
-------------
This project is similar to [DenyHosts][1] but enables better logging using [NMAP][2] and [Dig][3].Technical Overview
------------------
Continuously tail (subprocess tail -F) the system security logs, searching for a match on "sshd", "Failed password", "Invalid user". With a match, add the source ip to a list. After number of sequentially matched failed attempts, in consecutive order, from the same source ip, under the thresh hold time, puts the source ip in iptables block and nmap/dig is ran. The "clear" value will remove the iptables block at selected interval.----------------------
---------- -------- ----------- / |iptables Blocks BFer| \
| | | | | | ---------------------- -----------------
|SSH BFer| -> |System| -> |sshwatchd| |Clear iptables |
| | | | | | ---------------------- |BFer in 60 mins|
---------- -------- ----------- \ |NMAP/dig Probed BFer| -----------------
|/var/log/nmap.log |
----------------------
BFer = Brute ForcerRequirements
------------
* Linux (Redhat, Debain)
* root or equivalent
* OPENSSH Server
* Python 2.4+
* iptables (IPv4)
* nmap (optional)
* dig (bind-utils) (optional)Installation
------------**From Source**
git clone https://github.com/marshyski/sshwatch.git
sshwatch -> /etc/init.d
sshwatchd -> /usr/sbin**From Packages**
rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only
dpkg -i sshwatch_2.0_all.deb #Debian only**Post Install**
chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd
chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd
chkconfig sshwatch on #Redhat only
/etc/init.d/sshwatch startUsage
-----
**Variables in sshwatchd**thresh = number of seconds between consecutive attempts, default is 60
attempts = number of consecutive attempts, default is 4
clear = number of seconds elapsed to clear active source blocks, default is 3600
nmaplog = nmap probes are logged here, default is /var/log/nmap.log
nmap = nmap probe malicious source and stored in nmaplog, default is 0 (off)**Run in standalone / no-daemon / DEBUG mode**
./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian
./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 & #RedhatChanges from 1.0 to 2.0
-----------
- Block all traffic from an IP not just on source IP / Port 22
- NMAP/Dig source IP and store in /var/log/nmap.log
- Packages, curtisity of [fpm][4] building.
- A rich README ^_^Help & Feedback
---------------
You can email ([email protected]) me directly if you need help, submit an issue or pull request. Fork it.[1]: http://denyhosts.sourceforge.net/
[2]: http://nmap.org/
[3]: http://linux.die.net/man/1/dig
[4]: https://github.com/jordansissel/fpm