sshwatch is a IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log.
How to install
To use this tool, please use a method listed below
In a Linux (Debian OS), run the following command(s).
git clone https://github.com/marshyski/sshwatch.git sshwatch -> /etc/init.d sshwatchd -> /usr/sbin
rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only dpkg -i sshwatch_2.0_all.deb #Debian only
chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd chkconfig sshwatch on #Redhat only /etc/init.d/sshwatch start
Download directly from the following link:
How to execute
Variables in sshwatchd
thresh = number of seconds between consecutive attempts, default is 60 attempts = number of consecutive attempts, default is 4 clear = number of seconds elapsed to clear active source blocks, default is 3600 nmaplog = nmap probes are logged here, default is /var/log/nmap.log nmap = nmap probe malicious source and stored in nmaplog, default is 0 (off)
Run in standalone / no-daemon / DEBUG mode
./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian ./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 & #Redhat
This article was contributed by Gavin Dennis from Jamaica. Gavin is a member of the Caribbean CSPA.