Skip to content
Intrusion Prevention System (IPS) for Secure Shell (SSH)
Python Shell
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information. Updated REAME Jul 21, 2013
sshwatch first commit May 11, 2013
sshwatch-2.0-1.noarch.rpm Added dig probing Jun 2, 2013
sshwatch_2.0_all.deb Added dig probing Jun 2, 2013


Intrusion Prevention System ( IPS ) for Secure Shell ( SSH ) sourced from - THANKS HOMIE!

Why use this?

This project is similar to DenyHosts but enables better logging using NMAP and Dig.

Technical Overview

Continuously tail (subprocess tail -F) the system security logs, searching for a match on "sshd", "Failed password", "Invalid user". With a match, add the source ip to a list. After number of sequentially matched failed attempts, in consecutive order, from the same source ip, under the thresh hold time, puts the source ip in iptables block and nmap/dig is ran. The "clear" value will remove the iptables block at selected interval.

----------    --------    ----------- / |iptables Blocks BFer| \
|        |    |      |    |         |   ----------------------  -----------------
|SSH BFer| -> |System| -> |sshwatchd|                           |Clear iptables |
|        |    |      |    |         |   ----------------------  |BFer in 60 mins|
----------    --------    ----------- \ |NMAP/dig Probed BFer|  -----------------
                                        |/var/log/nmap.log   |
BFer = Brute Forcer 


  • Linux (Redhat, Debain)
  • root or equivalent
  • OPENSSH Server
  • Python 2.4+
  • iptables (IPv4)
  • nmap (optional)
  • dig (bind-utils) (optional)


From Source

git clone
sshwatch  -> /etc/init.d
sshwatchd -> /usr/sbin

From Packages

rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only
dpkg -i sshwatch_2.0_all.deb #Debian only

Post Install

chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd
chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd
chkconfig sshwatch on #Redhat only
/etc/init.d/sshwatch start


Variables in sshwatchd

thresh   = number of seconds between consecutive attempts, default is 60
attempts = number of consecutive attempts, default is 4
clear    = number of seconds elapsed to clear active source blocks, default is 3600
nmaplog  = nmap probes are logged here, default is /var/log/nmap.log
nmap     = nmap probe malicious source and stored in nmaplog, default is 0 (off)

Run in standalone / no-daemon / DEBUG mode

./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian
./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 &   #Redhat

Changes from 1.0 to 2.0

  • Block all traffic from an IP not just on source IP / Port 22
  • NMAP/Dig source IP and store in /var/log/nmap.log
  • Packages, curtisity of fpm building.
  • A rich README ^_^

Help & Feedback

You can email ( me directly if you need help, submit an issue or pull request. Fork it.

You can’t perform that action at this time.