Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



11 Commits

Repository files navigation


Intrusion Prevention System ( IPS ) for Secure Shell ( SSH ) sourced from - THANKS HOMIE!

Why use this?

This project is similar to DenyHosts but enables better logging using NMAP and Dig.

Technical Overview

Continuously tail (subprocess tail -F) the system security logs, searching for a match on "sshd", "Failed password", "Invalid user". With a match, add the source ip to a list. After number of sequentially matched failed attempts, in consecutive order, from the same source ip, under the thresh hold time, puts the source ip in iptables block and nmap/dig is ran. The "clear" value will remove the iptables block at selected interval.

----------    --------    ----------- / |iptables Blocks BFer| \
|        |    |      |    |         |   ----------------------  -----------------
|SSH BFer| -> |System| -> |sshwatchd|                           |Clear iptables |
|        |    |      |    |         |   ----------------------  |BFer in 60 mins|
----------    --------    ----------- \ |NMAP/dig Probed BFer|  -----------------
                                        |/var/log/nmap.log   |
BFer = Brute Forcer 


  • Linux (Redhat, Debain)
  • root or equivalent
  • OPENSSH Server
  • Python 2.4+
  • iptables (IPv4)
  • nmap (optional)
  • dig (bind-utils) (optional)


From Source

git clone
sshwatch  -> /etc/init.d
sshwatchd -> /usr/sbin

From Packages

rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only
dpkg -i sshwatch_2.0_all.deb #Debian only

Post Install

chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd
chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd
chkconfig sshwatch on #Redhat only
/etc/init.d/sshwatch start


Variables in sshwatchd

thresh   = number of seconds between consecutive attempts, default is 60
attempts = number of consecutive attempts, default is 4
clear    = number of seconds elapsed to clear active source blocks, default is 3600
nmaplog  = nmap probes are logged here, default is /var/log/nmap.log
nmap     = nmap probe malicious source and stored in nmaplog, default is 0 (off)

Run in standalone / no-daemon / DEBUG mode

./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian
./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 &   #Redhat

Changes from 1.0 to 2.0

  • Block all traffic from an IP not just on source IP / Port 22
  • NMAP/Dig source IP and store in /var/log/nmap.log
  • Packages, curtisity of fpm building.
  • A rich README ^_^

Help & Feedback

You can email ( me directly if you need help, submit an issue or pull request. Fork it.


Intrusion Prevention System (IPS) for Secure Shell (SSH)






No releases published