Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/regit/pshitt

Passwords of SSH Intruders Transferred to Text
https://github.com/regit/pshitt

Last synced: 9 days ago
JSON representation

Passwords of SSH Intruders Transferred to Text

Host: GitHub
URL: https://github.com/regit/pshitt
Owner: regit
License: gpl-3.0
Created: 2014-06-25T20:08:46.000Z (over 10 years ago)
Default Branch: master
Last Pushed: 2024-06-19T13:54:24.000Z (5 months ago)
Last Synced: 2024-09-13T12:13:45.015Z (about 2 months ago)
Language: Python
Size: 32.2 KB
Stars: 149
Watchers: 5
Forks: 25
Open Issues: 5
Metadata Files:
- Readme: README.rst
- License: LICENSE

Awesome Lists containing this project

README

        ======

PSHITT

======

Introduction

============

pshitt (for Passwords of SSH Intruders Transferred to Text) is a lightweight

fake SSH server designed to collect authentication data sent by intruders.

It basically collects username and password used by SSH bruteforce software

and writes the extracted data to a file in JSON format.

pshitt is written in Python and uses ``paramiko`` to implement the SSH layer.

Installing pshitt

=================

From Python Packaging Index (PyPI) using pip ::

  pip install pshitt

Install from source ::

  git clone https://github.com/regit/pshitt.git

NOTE: if you are installing from source, make sure you install ``paramiko``

and ``python-daemon`` packages.

Running pshitt

==============

If you installed via pip ::

  ./pshitt -o passwords.json

If you installed from source, go into the source directory and run ::

 ./pshitt.py -o passwords.json

This will run a fake SSH server listening on port 2200 to catch authentication

data sent by the intruders. Information about SSH connection attempt will be

stored in the ``passwords.json`` using JSON as format ::

 {"username": "root", "src_ip": "116.10.191.184", "password": "P@ssword", \

  "src_port": 41397, "timestamp": "2014-06-25T21:35:21.660303"}

Full options are available via '-h' option ::

 usage: pshitt [-h] [-o OUTPUT] [-k KEY] [-l LOG] [-p PORT] [-t THREADS] [-v]

               [-D]

 

 Passwords of SSH Intruders Transferred to Text

 

 optional arguments:

   -h, --help            show this help message and exit

   -o OUTPUT, --output OUTPUT

                         File to export collected data

   -k KEY, --key KEY     Host RSA key

   -l LOG, --log LOG     File to log info and debug

   -p PORT, --port PORT  TCP port to listen to

   -t THREADS, --threads THREADS

                         Maximum number of client threads

   -v, --verbose         Show verbose output, use multiple times increase

                         verbosity

   -D, --daemon          Run as unix daemon

Using pshitt data

=================

As the format is JSON, it is easy to use the data in data analysis

software such as Splunk or Logstash.

Here's a sample configuration for logstash ::

 input {

    file {

       path => [ "/var/log/pshitt.log" ]

       codec =>   json

       type => "json-log"

    }

 }

 filter {

     # warn logstash that timestamp is the one to use

     if [type] == "json-log" {

         date {

             match => [ "timestamp", "ISO8601" ]

         }

     }

     # optional but geoip is interesting

     if [src_ip]  {

         geoip {

             source => "src_ip"

             target => "geoip"

             add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

             add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]

         }

         mutate {

             convert => [ "[geoip][coordinates]", "float" ]

         }

     }

 }

 output {

   elasticsearch {

        host => "localhost"

   }

 }

Basically, it is just enough to mention that the ``pshitt.log`` file is

using JSON format.