slossh

package module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 30, 2020 License: MIT Imports: 14 Imported by: 0

README

Slossh - your friendly, extensible ssh sentinel

Slossh is a simple ssh server that never lets you in. It's purpose is to sit on your network, collecting information about bots from bad actors who are constantly attempting to gain access to your systems. It also allow you to make real time decisions, blocking access to your network to IPs that are currently engaging in attacks. It can also be used to research username / password combinations that are being used by these bots to ensure that your password policies are effective.

Placement

Ideally, the program should be run on a device in your ip space, but separate from the rest of your network by policy. This will allow blocking of active nefarious IPs while slossh continues to gather data. It should listen on port 22, but run as an unprivileged user.

Recorders

Internally, Slossh has recorders that take the data that is collected and make it useful. They might store the data in a file, or send it to a remote endpoint for immediate action. There are currently two built in recorders (file and http post), but more are planned, and it is fairly simple to add a new recorder.

File recorder

Store json results locally in a single file.

HTTP recorder

Send results to a remote http server. This recorder sends a POST request to the specified URL with a json encoded body for each login attempt.

SSH Session JSON format

Each session may contain zero or more login attempts. The session structure is sent to each configured recorder once it is closed. If public key authentication is attempted, the public key used will be recorded.

{
    "SessionID": "cf3750f6a7bf951fc2aa5a3c05bd8aa7050b94c7f7e5d7d09afa18bf20b7e2d2",
    "IP": "127.0.0.1",
    "ClientVersion": "SSH-2.0-OpenSSH_8.1",
    "Attempts": [
        {
            "Username": "admin",
            "Key": {
                "Key": "ssh-rsa AAA..... # full ssh public key here",
                "Fingerprint": "SHA256:s6iMqZs5Uh8x530Sjlwqes9m/w1UykbK0x29pfupPSo",
                "Type": "ssh-rsa"
            },
            "Password": ""
        },
        {
            "Username": "admin",
            "Key": null,
            "Password": "P@SSw0rd"
        }
    ],
    "Start": "2020-11-20T22:23:26.820267-05:00",
    "Finish": "2020-11-20T22:23:32.139888-05:00"
}

Command line options

    --file-path string       Path to json file to store results
    --http-url string        URL to send post requests to
-p, --port int               Port to listen on (default 2022)
-r, --recorder stringArray   recorder to use (can be specified multiple times). Available recorders: file, http

License

MIT

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Slossh 

type Slossh struct {
	// contains filtered or unexported fields
}

Slossh holds the main object

func New 

func New(recs []recorders.Recorder) (*Slossh, error)

New creates a new instance of Slossh

func (*Slossh) HandleConnection 

func (s *Slossh) HandleConnection(con net.Conn)

HandleConnection does the work on each incoming connection in a new goroutine

func (*Slossh) Recorder 

func (s *Slossh) Recorder()

Recorder receives sessions and passes them on to other integrations

func (*Slossh) Serve 

func (s *Slossh) Serve(port int) error

Serve starts the server and waits for connections

Source Files

View all Source files

Directories

Path Synopsis
cmd
slossh
pkg
filerecorder
httprecorder
recorders
session

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.