One-shot SSH + web log scanner to flag brute-force and high-volume IPs.
Part of the Red Specter | VIGIL defensive tooling ecosystem.
Threat Recon Watcher v0.1 inspects local logs to highlight suspicious sources:
- SSH brute-force candidates from
/var/log/auth.log - High-volume web clients from
/var/log/nginx/access.log(or Apache access log) - Writes a summary and evidence to
/var/log/threat-recon-watcher.log
It does not send any traffic or change system state — it simply reads logs and reports.
Attackers don’t always show up as giant DDoS waves.
Often, they start with:
- SSH password spraying / brute-force
- Web scanning, path probing and tooling fingerprints
- Repeated noisy requests from the same IP
Most of that noise is sitting quietly in your auth and web logs.
Threat Recon Watcher gives you a quick, opinionated view of:
“Who looks like they’re attacking me right now based on my logs?”
It pairs nicely with:
- DDoS Flood Sentinel → volumetric traffic storms
- Port Surge Guardian → new services/ports opening
- Threat Recon Watcher → hostile IP behaviour in logs
git clone https://github.com/RichardBarron27/redspecter-threat-recon-watcher.git
cd redspecter-threat-recon-watcher
chmod +x threat-recon-watcher.sh
sudo ./threat-recon-watcher.sh
Default log locations:
SSH log: /var/log/auth.log
Web log: /var/log/nginx/access.log
If you use Apache, run instead:
sudo ./threat-recon-watcher.sh --web-log /var/log/apache2/access.log
⚙️ Options
| Flag | Meaning | Default |
| ------------------- | ------------------------------------- | ----------------------------------- |
| `--auth-log PATH` | SSH/auth log path | `/var/log/auth.log` |
| `--web-log PATH` | Web access log path (nginx or apache) | `/var/log/nginx/access.log` |
| `--ssh-lines N` | Last N lines of SSH log to analyse | `2000` |
| `--web-lines N` | Last N lines of web log to analyse | `5000` |
| `--ssh-threshold N` | Failed SSH attempts per IP to flag | `5` |
| `--web-threshold N` | Web requests per IP to flag | `200` |
| `-l, --log-file` | Output log file path | `/var/log/threat-recon-watcher.log` |
🧪 Example Output
Typical “clean” run:
[2025-12-04T15:06:54Z] [INFO] Starting Threat Recon Watcher v0.1
[2025-12-04T15:06:54Z] [INFO] Using AUTH_LOG=/var/log/auth.log, WEB_LOG=/var/log/nginx/access.log
[2025-12-04T15:06:54Z] [INFO] SSH_THRESHOLD=5, WEB_THRESHOLD=200
[*] Analysing SSH log: /var/log/auth.log (last 2000 lines)
[OK] No SSH IPs above threshold (5 failed attempts).
[*] Analysing Web log: /var/log/nginx/access.log (last 5000 lines)
[OK] No web IPs above threshold (200 requests).
[*] Threat Recon Watcher v0.1 completed.
Example when something noisy shows up (future / lab scenario):
[ALERT] Suspicious SSH sources:
- 203.0.113.45 (12 failed attempts)
[ALERT] High-volume web sources:
- 198.51.100.21 (432 requests in last 5000 lines)
And the log file (/var/log/threat-recon-watcher.log) will contain matching entries.
📌 Screenshot(s) can be added later once you have some interesting output.
🛑 Safety & Ethics
Defensive-only
Reads logs only
No packets sent
No firewall or config changes
Use it only on systems and networks you are authorized to monitor.
🚀 Roadmap
Planned enhancements:
Basic pattern rules for common attack URIs (e.g. wp-login.php, /phpmyadmin/, etc.)
4xx/5xx-heavy IP heuristics (error-based suspicious scoring)
Local blocklist integration for “known bad” IPs
Python v1.0:
Optional integration with public threat feeds (e.g. AbuseIPDB)
JSON output for SIEM/SOC workflows
Slack / webhook alerting
❤️ Support Red Specter
If this tool (and the wider Red Specter suite) helps you, you can support future development:
☕ Buy Me A Coffee
https://www.buymeacoffee.com/redspecter
💼 PayPal
https://paypal.me/richardbarron1747
Your support directly helps build more ethical cyber defense tools. 🛡️⚡
Red Specter values:
Ethical Intelligence. Precision. Integrity.
Notice for Users: If you cloned this and found it useful, please consider starring the repo! Stars help with visibility and let me know which projects to maintain.