Intrusion Prevention System (IPS) for Secure Shell (SSH)
Python Shell
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README.md
sshwatch first commit May 11, 2013
sshwatch-2.0-1.noarch.rpm
sshwatch_2.0_all.deb
sshwatchd

README.md

SSHWATCH v2.0

Intrusion Prevention System ( IPS ) for Secure Shell ( SSH ) sourced from https://code.google.com/p/sshwatch/ - krink@csun.edu THANKS HOMIE!

Why use this?

This project is similar to DenyHosts but enables better logging using NMAP and Dig.

Technical Overview

Continuously tail (subprocess tail -F) the system security logs, searching for a match on "sshd", "Failed password", "Invalid user". With a match, add the source ip to a list. After number of sequentially matched failed attempts, in consecutive order, from the same source ip, under the thresh hold time, puts the source ip in iptables block and nmap/dig is ran. The "clear" value will remove the iptables block at selected interval.

                                        ----------------------
----------    --------    ----------- / |iptables Blocks BFer| \
|        |    |      |    |         |   ----------------------  -----------------
|SSH BFer| -> |System| -> |sshwatchd|                           |Clear iptables |
|        |    |      |    |         |   ----------------------  |BFer in 60 mins|
----------    --------    ----------- \ |NMAP/dig Probed BFer|  -----------------
                                        |/var/log/nmap.log   |
                                        ----------------------
BFer = Brute Forcer 

Requirements

  • Linux (Redhat, Debain)
  • root or equivalent
  • OPENSSH Server
  • Python 2.4+
  • iptables (IPv4)
  • nmap (optional)
  • dig (bind-utils) (optional)

Installation

From Source

git clone https://github.com/marshyski/sshwatch.git
sshwatch  -> /etc/init.d
sshwatchd -> /usr/sbin

From Packages

rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only
dpkg -i sshwatch_2.0_all.deb #Debian only

Post Install

chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd
chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd
chkconfig sshwatch on #Redhat only
/etc/init.d/sshwatch start

Usage

Variables in sshwatchd

thresh   = number of seconds between consecutive attempts, default is 60
attempts = number of consecutive attempts, default is 4
clear    = number of seconds elapsed to clear active source blocks, default is 3600
nmaplog  = nmap probes are logged here, default is /var/log/nmap.log
nmap     = nmap probe malicious source and stored in nmaplog, default is 0 (off)

Run in standalone / no-daemon / DEBUG mode

./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian
./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 &   #Redhat

Changes from 1.0 to 2.0

  • Block all traffic from an IP not just on source IP / Port 22
  • NMAP/Dig source IP and store in /var/log/nmap.log
  • Packages, curtisity of fpm building.
  • A rich README ^_^

Help & Feedback

You can email (marshyski@gmail.com) me directly if you need help, submit an issue or pull request. Fork it.