Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/clearlinux/tallow

Block hosts that attempt to bruteforce SSH using the journald API.
https://github.com/clearlinux/tallow

firewall-rules ssh ssh-client ssh-server systemd-journal

Last synced: about 2 months ago
JSON representation

Block hosts that attempt to bruteforce SSH using the journald API.

Host: GitHub
URL: https://github.com/clearlinux/tallow
Owner: clearlinux
License: gpl-3.0
Created: 2012-11-06T19:21:39.000Z (almost 12 years ago)
Default Branch: master
Last Pushed: 2022-11-13T10:35:46.000Z (almost 2 years ago)
Last Synced: 2024-06-02T21:57:15.163Z (4 months ago)
Topics: firewall-rules, ssh, ssh-client, ssh-server, systemd-journal
Language: C
Size: 121 KB
Stars: 90
Watchers: 8
Forks: 12
Open Issues: 8
Metadata Files:
- Readme: README.md
- Changelog: ChangeLog
- License: COPYING

Awesome Lists containing this project

README

tallow
======

Tallow is a fail2ban/lard replacement that uses systemd's native
journal API to scan for attempted ssh logins, and issues temporary
IP bans for clients that violate certain login patterns.

Author: Auke Kok

How it works
============

Tallow attaches to the journal and subscribes to messages from
/usr/sbin/sshd. The messages are matched against rules and the IP
address is extracted from the message. For each IP address that is
extracted, the last timestamp and count is kept. Once the count exceeds
a threshold, the offending IP address is added to an ipset and blocked
with a corresponding firewall rule. It will use firewalld or
iptables / ip6tables.

The timestamp is kept for pruning. Records are pruned from the list
if the IP address hasn't been seen by tallow for longer than the
threshold. If the IP was blocked and the threshold was exceeded,
the IP is unblocked. If the threshold was never reached, the record
is removed as well.

Pruning is done automatically after incoming messages are processed,
so there is a chance that if no messages arrive, that IP addresses
remain blocked for longer than the default blocking period.

Motivation
==========

This program was originally written to demonstrate the journal API. One
of the typical use cases for journal (or syslog) readers was to act
dynamically on certain syslog messages, and many types of actions
can be imagined. This is trivial to implement on systems that use
the journal API, and often doesn't take much code at all.

The journal is attached to and forwarder to the end. We place a
simple message filter, and then process each incoming message. For
more information check out the sd-journal manual pages, which contain
example code that demonstrates almost the exact same code flow.

Security
========

DISCLAIMER: THIS IS NOT A SECURITY APPLICATION !!!

Tallow is meant to reduce log clutter and system resource usage at
the cost of denying access to potentially valid users.

Even if you reduce the threshold at which clients are blocked to 1,
an attacker may still gain access to your server if the attacker uses
the correct credentials.

By itself, tallow is an application that creates a Denial
of Service. It's sole purpose and function is to block IP
addresses. Therefore, with tallow running on a service, you could
potentially deny valid users access to your systems if you deploy
tallow.

Be very careful if you deploy tallow on systems that expect valid
users to log on from many random source addresses. If your user
mistypes their username, they could find themselves denied access.