secrds is a security monitoring tool that uses eBPF (Extended Berkeley Packet Filter) to monitor SSH connections and authentication events on Linux systems. It tracks SSH accept connections and authentication attempts in real-time, providing detailed logging of SSH activity.
This tool monitors your system's SSH activity by:
- Tracking SSH connection accept events
- Monitoring SSH authentication attempts
- Logging all SSH-related activity to help you understand who is connecting to your system
- Linux kernel with eBPF support (Linux 4.9+)
- Go 1.21 or later
- Clang compiler with BPF target support
- Root/sudo privileges to run the monitoring tool
To build the project, run:
make allThis will:
- Compile the BPF programs (
.bpf.ofiles) - Build the Go binary (
secrds)
After building, run the tool with sudo privileges:
sudo ./secrdsOr use the Makefile shortcut:
make runThe tool will start monitoring SSH events and log them to /var/log/secrds (or /etc/secrds/logs if /var/log is not available).
To remove build artifacts:
make cleansecrds uses eBPF tracepoints and uprobes to hook into SSH-related system calls and library functions. It captures events as they happen and logs them for security analysis and monitoring purposes.