SSHWATCH v2.0

Intrusion Prevention System for Secure Shell (SSH) sourced from [email protected]

Why Use This?

Similar to DenyHosts, but enables better logging using NMAP and Dig.

Technical Overview

Continuously tails system security logs, searching for matches on "sshd", "Failed password", and "Invalid user". With a match, adds the source IP to a list. After a number of sequentially matched failed attempts from the same source IP, under the threshold time, puts the source IP in iptables block and runs NMAP/Dig.

Requirements

• Linux (Redhat, Debian)
• Root or equivalent
• OPENSSH Server
• Python 2.4+
• Iptables (IPv4)
• Nmap (optional)
• Dig (bind-utils) (optional)

Installation

From Source

• git clone https://github.com/marshyski/sshwatch.git
• Move sshwatch to /etc/init.d
• Move sshwatchd to /usr/sbin

From Packages

• rpm -ivh sshwatch-2.0-1.noarch.rpm (Redhat only)
• dpkg -i sshwatch_2.0_all.deb (Debian only)

Post Install

• chmod 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd
• chown root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd
• chkconfig sshwatch on (Redhat only)
• /etc/init.d/sshwatch start

Usage

Variables in sshwatchd

• thresh: number of seconds between consecutive attempts, default is 60
• attempts: number of consecutive attempts, default is 4
• clear: number of seconds elapsed to clear active source blocks, default is 3600
• nmaplog: NMAP probes are logged here, default is /var/log/nmap.log
• nmap: NMAP probe malicious source and stored in nmaplog, default is 0 (off)

Run in Standalone / No-Daemon / DEBUG Mode

• ./sshwatchd /var/log/auth.log > /var/log/sshwatch.log 2>&1 & (Debian)
• ./sshwatchd /var/log/secure > /var/log/sshwatch.log 2>&1 & (Redhat)

Changes from 1.0 to 2.0

• Block all traffic from an IP not just on source IP/Port 22
• NMAP/Dig source IP and store in /var/log/nmap.log
• Packages, courtesy of fpm building.
• A rich README ^_^

> Visit sshwatch Website <