Skip to content

marshyski/sshwatch

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
README.md
 
 
sshwatch
 
 
sshwatch-2.0-1.noarch.rpm
 
 
sshwatch_2.0_all.deb
 
 
sshwatchd
 
 
SSHWATCH v2.0 Why use this? Technical Overview Requirements Installation Usage Changes from 1.0 to 2.0 Help & Feedback

README.md

SSHWATCH v2.0

Intrusion Prevention System ( IPS ) for Secure Shell ( SSH ) sourced from https://code.google.com/p/sshwatch/ - krink@csun.edu THANKS HOMIE!

Why use this?

This project is similar to DenyHosts but enables better logging using NMAP and Dig.

Technical Overview

Continuously tail (subprocess tail -F) the system security logs, searching for a match on "sshd", "Failed password", "Invalid user". With a match, add the source ip to a list. After number of sequentially matched failed attempts, in consecutive order, from the same source ip, under the thresh hold time, puts the source ip in iptables block and nmap/dig is ran. The "clear" value will remove the iptables block at selected interval.

                                        ----------------------
----------    --------    ----------- / |iptables Blocks BFer| \
|        |    |      |    |         |   ----------------------  -----------------
|SSH BFer| -> |System| -> |sshwatchd|                           |Clear iptables |
|        |    |      |    |         |   ----------------------  |BFer in 60 mins|
----------    --------    ----------- \ |NMAP/dig Probed BFer|  -----------------
                                        |/var/log/nmap.log   |
                                        ----------------------
BFer = Brute Forcer

Requirements

  • Linux (Redhat, Debain)
  • root or equivalent
  • OPENSSH Server
  • Python 2.4+
  • iptables (IPv4)
  • nmap (optional)
  • dig (bind-utils) (optional)

Installation

From Source

git clone https://github.com/marshyski/sshwatch.git
sshwatch  -> /etc/init.d
sshwatchd -> /usr/sbin

From Packages

rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only
dpkg -i sshwatch_2.0_all.deb #Debian only

Post Install

chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd
chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd
chkconfig sshwatch on #Redhat only
/etc/init.d/sshwatch start

Usage

Variables in sshwatchd

thresh   = number of seconds between consecutive attempts, default is 60
attempts = number of consecutive attempts, default is 4
clear    = number of seconds elapsed to clear active source blocks, default is 3600
nmaplog  = nmap probes are logged here, default is /var/log/nmap.log
nmap     = nmap probe malicious source and stored in nmaplog, default is 0 (off)

Run in standalone / no-daemon / DEBUG mode

./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian
./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 &   #Redhat

Changes from 1.0 to 2.0

  • Block all traffic from an IP not just on source IP / Port 22
  • NMAP/Dig source IP and store in /var/log/nmap.log
  • Packages, curtisity of fpm building.
  • A rich README ^_^

Help & Feedback

You can email (marshyski@gmail.com) me directly if you need help, submit an issue or pull request. Fork it.

About

Intrusion Prevention System (IPS) for Secure Shell (SSH)

Resources

Readme
Activity

Stars

39 stars

Watchers

3 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages