Skip to content

feat(ssh-fail-monitor): add kprobe-based sshd detection #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
maheshbhatiya73 merged 1 commit into from
Jul 10, 2025
Merged

feat(ssh-fail-monitor): add kprobe-based sshd detection #11

maheshbhatiya73 merged 1 commit into from
Jul 10, 2025

Conversation

@maheshbhatiya73
Copy link
Member

@maheshbhatiya73 maheshbhatiya73 commented Jul 10, 2025

Implements a new SSH fail monitor using a kprobe on all processes.

  • Hooks every kprobe entry point and filters based on comm == "sshd"
  • Emits timestamped events via RingBuf including PID, UID, comm, and time
  • Tracks per-UID failure count in a HashMap (UID -> attempt count)
  • Uses bpf_get_current_comm, bpf_get_current_pid_tgid, bpf_get_current_uid_gid, and bpf_ktime_get_ns
  • Adds bpf_printk debug output for each triggered event
  • Includes panic handler and GPL license section for kernel validation

Note: This method is generic and does not attach directly to pam_authenticate.
Future enhancement: Combine with uretprobe on PAM to capture return code and failure reason.

@maheshbhatiya73
feat(ssh-fail-monitor): add kprobe-based sshd detection with uid+pid …
de7b131 
…ringbuf eventing

Implements a new SSH fail monitor using a kprobe on all processes.
- Hooks every `kprobe` entry point and filters based on `comm == "sshd"`
- Emits timestamped events via RingBuf including PID, UID, comm, and time
- Tracks per-UID failure count in a HashMap (UID -> attempt count)
- Uses `bpf_get_current_comm`, `bpf_get_current_pid_tgid`, `bpf_get_current_uid_gid`, and `bpf_ktime_get_ns`
- Adds bpf_printk debug output for each triggered event
- Includes panic handler and `GPL` license section for kernel validation

Note: This method is generic and does not attach directly to `pam_authenticate`.
Future enhancement: Combine with uretprobe on PAM to capture return code and failure reason.
@maheshbhatiya73 maheshbhatiya73 merged commit 040f47d into main Jul 10, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maheshbhatiya73