Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/regit/pshitt
Passwords of SSH Intruders Transferred to Text
https://github.com/regit/pshitt
Last synced: 5 days ago
JSON representation
Passwords of SSH Intruders Transferred to Text
- Host: GitHub
- URL: https://github.com/regit/pshitt
- Owner: regit
- License: gpl-3.0
- Created: 2014-06-25T20:08:46.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2024-06-19T13:54:24.000Z (6 months ago)
- Last Synced: 2024-12-11T07:02:04.316Z (12 days ago)
- Language: Python
- Size: 32.2 KB
- Stars: 151
- Watchers: 5
- Forks: 24
- Open Issues: 5
-
Metadata Files:
- Readme: README.rst
- License: LICENSE
Awesome Lists containing this project
README
======
PSHITT
======Introduction
============pshitt (for Passwords of SSH Intruders Transferred to Text) is a lightweight
fake SSH server designed to collect authentication data sent by intruders.
It basically collects username and password used by SSH bruteforce software
and writes the extracted data to a file in JSON format.pshitt is written in Python and uses ``paramiko`` to implement the SSH layer.
Installing pshitt
=================From Python Packaging Index (PyPI) using pip ::
pip install pshitt
Install from source ::
git clone https://github.com/regit/pshitt.git
NOTE: if you are installing from source, make sure you install ``paramiko``
and ``python-daemon`` packages.Running pshitt
==============If you installed via pip ::
./pshitt -o passwords.json
If you installed from source, go into the source directory and run ::
./pshitt.py -o passwords.json
This will run a fake SSH server listening on port 2200 to catch authentication
data sent by the intruders. Information about SSH connection attempt will be
stored in the ``passwords.json`` using JSON as format ::{"username": "root", "src_ip": "116.10.191.184", "password": "P@ssword", \
"src_port": 41397, "timestamp": "2014-06-25T21:35:21.660303"}Full options are available via '-h' option ::
usage: pshitt [-h] [-o OUTPUT] [-k KEY] [-l LOG] [-p PORT] [-t THREADS] [-v]
[-D]
Passwords of SSH Intruders Transferred to Text
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
File to export collected data
-k KEY, --key KEY Host RSA key
-l LOG, --log LOG File to log info and debug
-p PORT, --port PORT TCP port to listen to
-t THREADS, --threads THREADS
Maximum number of client threads
-v, --verbose Show verbose output, use multiple times increase
verbosity
-D, --daemon Run as unix daemonUsing pshitt data
=================As the format is JSON, it is easy to use the data in data analysis
software such as Splunk or Logstash.Here's a sample configuration for logstash ::
input {
file {
path => [ "/var/log/pshitt.log" ]
codec => json
type => "json-log"
}
}filter {
# warn logstash that timestamp is the one to use
if [type] == "json-log" {
date {
match => [ "timestamp", "ISO8601" ]
}
}# optional but geoip is interesting
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}output {
elasticsearch {
host => "localhost"
}
}Basically, it is just enough to mention that the ``pshitt.log`` file is
using JSON format.