资 源 简 介
Intrusion Prevention System (IPS) for ssh (default port 22), this IPS responds to the suspicious activity by setting the linux firewall (iptables) to block network traffic from the suspected malicious source. Suspicious activity is determined via auth or security logs.
This IPS is linux only, using iptables, and thus must be run as root.
thresh = (number of seconds between consecutive attempts)
attempts = (number of consecutive attempts)
clear = (number of seconds elapsed to clear active source blocks)
This IPS has been tested on:
debian linux - /var/log/auth.log
redhat linux - /var/log/secure
Best practice for running this program:
./sshwatch.py /var/log/auth.log >>/root/sshwatch.log 2>&1 &
Program Overview:
Continuously tail (subprocess tail -F) the system security logs, searching for a match on "sshd", "Failed password", "Invalid user&qu