Ellis monitors systemd-journald logs for specific entries and triggers actions based on them.
Ellis can obviously be used as an Intrusion Prevention System (IPS) but can also be used in a more general way to run a Python script whenever a pattern appears in the logs.
I started Ellis as a pet project with two ideas in mind:
- I wanted to build something based on Python's asyncio framework because it looked very interesting and powerful - I needed to learn more about it ! ;
- I also wanted to be warned whenever someone would successfully log on my PC through SSH.
And then I realized that the combination of these two ideas would make a perfect candidate ! It then evolved into something more generic that looks a lot like the well-known fail2ban.
Ellis specifically focuses on systemd-journald. It's written in Python and uses the asyncio framework for better performance (well, I hope so).
- Monitors systemd-journald logs for given patterns ;
- Executes given commands when a pattern has been detected more than N times ;
- Uses ipset or nftables to block traffic from malicious hosts ;
- Can send e-mails to warn you about something ;
- Handles multiple services (or systemd-units) ;
- Single, simple config file.
Installing and configuring
Please read the Wiki.
Contributing / Helping
Code reviews, patches, comments, bug reports and feature requests are welcome. Please read the Contributing guide for further details.