sshwatch - IPS for SSH written in Python.


sshwatch is a IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log.

How to install

To use this tool, please use a method listed below

In a Linux (Debian OS), run the following command(s).


From Source

git clone
sshwatch  -> /etc/init.d
sshwatchd -> /usr/sbin

From Packages

  rpm -ivh sshwatch-2.0-1.noarch.rpm #Redhat only
dpkg -i sshwatch_2.0_all.deb #Debian only

Post Install

  chmod -f 0700 /etc/init.d/sshwatch /usr/sbin/sshwatchd
chown -f root:root /etc/init.d/sshwatch /usr/sbin/sshwatchd
chkconfig sshwatch on #Redhat only
/etc/init.d/sshwatch start

Download directly from the following link:


How to execute

Variables in sshwatchd

thresh   = number of seconds between consecutive attempts, default is 60
attempts = number of consecutive attempts, default is 4
clear    = number of seconds elapsed to clear active source blocks, default is 3600
nmaplog  = nmap probes are logged here, default is /var/log/nmap.log
nmap     = nmap probe malicious source and stored in nmaplog, default is 0 (off)  

Run in standalone / no-daemon / DEBUG mode

  ./sshwatchd /var/log/auth.log >/var/log/sshwatch.log 2>&1 & #Debian
./sshwatchd /var/log/secure >/var/log/sshwatch.log 2>&1 &   #Redhat




Next steps:


This article was contributed by Gavin Dennis from Jamaica. Gavin is a member of the Caribbean CSPA.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.