Pshitt Save

Passwords of SSH Intruders Transferred to Text

Project README

====== PSHITT


pshitt (for Passwords of SSH Intruders Transferred to Text) is a lightweight fake SSH server designed to collect authentication data sent by intruders. It basically collects username and password used by SSH bruteforce software and writes the extracted data to a file in JSON format.

pshitt is written in Python and uses paramiko to implement the SSH layer.

Installing pshitt

From Python Packaging Index (PyPI) using pip ::

pip install pshitt

Install from source ::

git clone

NOTE: if you are installing from source, make sure you install paramiko and python-daemon packages.

Running pshitt

If you installed via pip ::

./pshitt -o passwords.json

If you installed from source, go into the source directory and run ::

./ -o passwords.json

This will run a fake SSH server listening on port 2200 to catch authentication data sent by the intruders. Information about SSH connection attempt will be stored in the passwords.json using JSON as format ::

{"username": "root", "src_ip": "", "password": "[email protected]",
"src_port": 41397, "timestamp": "2014-06-25T21:35:21.660303"}

Full options are available via '-h' option ::

usage: pshitt [-h] [-o OUTPUT] [-k KEY] [-l LOG] [-p PORT] [-t THREADS] [-v] [-D]

Passwords of SSH Intruders Transferred to Text

optional arguments: -h, --help show this help message and exit -o OUTPUT, --output OUTPUT File to export collected data -k KEY, --key KEY Host RSA key -l LOG, --log LOG File to log info and debug -p PORT, --port PORT TCP port to listen to -t THREADS, --threads THREADS Maximum number of client threads -v, --verbose Show verbose output, use multiple times increase verbosity -D, --daemon Run as unix daemon

Using pshitt data

As the format is JSON, it is easy to use the data in data analysis software such as Splunk or Logstash.

Here's a sample configuration for logstash ::

input { file { path => [ "/var/log/pshitt.log" ] codec => json type => "json-log" } }

filter { # warn logstash that timestamp is the one to use if [type] == "json-log" { date { match => [ "timestamp", "ISO8601" ] } }

 # optional but geoip is interesting
 if [src_ip]  {
     geoip {
         source => "src_ip"
         target => "geoip"
         add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
         add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
     mutate {
         convert => [ "[geoip][coordinates]", "float" ]


output { elasticsearch { host => "localhost" } }

Basically, it is just enough to mention that the pshitt.log file is using JSON format.

Open Source Agenda is not affiliated with "Pshitt" Project. README Source: regit/pshitt
Open Issues
Last Commit
8 months ago

Open Source Agenda Badge

Open Source Agenda Rating