is-it-safe 5.0.0__tar.gz

is_it_safe-5.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mithun
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

is_it_safe-5.0.0/PKG-INFO

@@ -0,0 +1,92 @@
+Metadata-Version: 2.4
+Name: is-it-safe
+Version: 5.0.0
+Summary: Stealthy Security Layer Detector (WAF/IDS/IPS/Fail2Ban)
+Author-email: Mithun <mitchastertheblaster@gmail.com>
+Project-URL: Homepage, https://github.com/mithun/is-it-safe
+Project-URL: Bug Tracker, https://github.com/mithun/is-it-safe/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Topic :: Security
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.31.0
+Requires-Dist: urllib3>=2.0.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: ipaddress>=1.0.23
+Requires-Dist: scapy>=2.5.0
+Requires-Dist: paramiko>=3.4.0
+Provides-Extra: test
+Requires-Dist: pytest>=7.4.0; extra == "test"
+Requires-Dist: pytest-mock>=3.12.0; extra == "test"
+Dynamic: license-file
+
+# is-it-safe 🛡️
+
+[![PyPI version](https://img.shields.io/pypi/v/is-it-safe.svg)](https://pypi.org/project/is-it-safe/)
+[![Python versions](https://img.shields.io/pypi/pyversions/is-it-safe.svg)](https://pypi.org/project/is-it-safe/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Stealthy Security Layer Fingerprinting & Detection v5.0**
+
+`is-it-safe` is a modern, high-performance security utility designed to map and identify protective layers surrounding a target without triggering aggressive defense mechanisms. It provides deep visibility into infrastructure security by fingerprinting WAFs, IDS/IPS, and automated blocking systems.
+
+##  Key Features
+
+*   🛡️ **WAF Fingerprinting:** Identifies 10+ major WAF vendors (Cloudflare, Akamai, AWS, Imperva, etc.) via signature-based and behavioral analysis.
+*   🕵️ **Stealth-First Detection:** Implements adaptive jitter, randomized headers, and low-signal request patterns to bypass basic rate-limiters and heuristics.
+*   🚦 **IDS/IPS Probing:** Uses low-level TCP signals and HTTP response anomalies to detect deep packet inspection and network-level interception.
+*   🚫 **Fail2Ban Discovery:** Safely identifies SSH tarpits, "honey-pots," and active ban policies through non-destructive authentication probing.
+*   🎨 **Modern Interface:** Built with `rich` for professional, structured terminal output and high-visibility results.
+*   🤖 **Automation Ready:** Native JSON output mode for seamless integration into larger security pipelines.
+
+##  Installation
+
+### The Modern Way (Recommended)
+Use [uv](https://github.com/astral-sh/uv) for the fastest experience:
+
+```bash
+# Run instantly without installing
+uvx is-it-safe example.com
+
+# Or install it
+uv pip install is-it-safe
+```
+
+### The Traditional Way
+```bash
+pip install is-it-safe
+```
+
+### From Source
+```bash
+git clone https://github.com/your-username/is-it-safe.git
+cd is-it-safe
+pip install .
+```
+
+## 🛠 Usage
+
+```bash
+# Basic scan
+is-it-safe example.com
+
+# Verbose scan with stealth enabled
+is-it-safe example.com --stealth --verbose
+
+# Scan specific SSH port for Fail2Ban
+sudo is-it-safe example.com --ssh-port 2222
+
+# Output results as JSON
+is-it-safe example.com --json > results.json
+```
+
+> [!IMPORTANT]
+> Some IDS/IPS detection features require **root privileges** for raw socket access.
+
+## 📜 License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+

is_it_safe-5.0.0/README.md

@@ -0,0 +1,67 @@
+# is-it-safe 🛡️
+
+[![PyPI version](https://img.shields.io/pypi/v/is-it-safe.svg)](https://pypi.org/project/is-it-safe/)
+[![Python versions](https://img.shields.io/pypi/pyversions/is-it-safe.svg)](https://pypi.org/project/is-it-safe/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Stealthy Security Layer Fingerprinting & Detection v5.0**
+
+`is-it-safe` is a modern, high-performance security utility designed to map and identify protective layers surrounding a target without triggering aggressive defense mechanisms. It provides deep visibility into infrastructure security by fingerprinting WAFs, IDS/IPS, and automated blocking systems.
+
+##  Key Features
+
+*   🛡️ **WAF Fingerprinting:** Identifies 10+ major WAF vendors (Cloudflare, Akamai, AWS, Imperva, etc.) via signature-based and behavioral analysis.
+*   🕵️ **Stealth-First Detection:** Implements adaptive jitter, randomized headers, and low-signal request patterns to bypass basic rate-limiters and heuristics.
+*   🚦 **IDS/IPS Probing:** Uses low-level TCP signals and HTTP response anomalies to detect deep packet inspection and network-level interception.
+*   🚫 **Fail2Ban Discovery:** Safely identifies SSH tarpits, "honey-pots," and active ban policies through non-destructive authentication probing.
+*   🎨 **Modern Interface:** Built with `rich` for professional, structured terminal output and high-visibility results.
+*   🤖 **Automation Ready:** Native JSON output mode for seamless integration into larger security pipelines.
+
+##  Installation
+
+### The Modern Way (Recommended)
+Use [uv](https://github.com/astral-sh/uv) for the fastest experience:
+
+```bash
+# Run instantly without installing
+uvx is-it-safe example.com
+
+# Or install it
+uv pip install is-it-safe
+```
+
+### The Traditional Way
+```bash
+pip install is-it-safe
+```
+
+### From Source
+```bash
+git clone https://github.com/your-username/is-it-safe.git
+cd is-it-safe
+pip install .
+```
+
+## 🛠 Usage
+
+```bash
+# Basic scan
+is-it-safe example.com
+
+# Verbose scan with stealth enabled
+is-it-safe example.com --stealth --verbose
+
+# Scan specific SSH port for Fail2Ban
+sudo is-it-safe example.com --ssh-port 2222
+
+# Output results as JSON
+is-it-safe example.com --json > results.json
+```
+
+> [!IMPORTANT]
+> Some IDS/IPS detection features require **root privileges** for raw socket access.
+
+## 📜 License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+

is_it_safe-5.0.0/pyproject.toml

@@ -0,0 +1,43 @@
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "is-it-safe"
+version = "5.0.0"
+authors = [
+  { name="Mithun", email="mitchastertheblaster@gmail.com" },
+]
+description = "Stealthy Security Layer Detector (WAF/IDS/IPS/Fail2Ban)"
+readme = "README.md"
+requires-python = ">=3.8"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Topic :: Security",
+]
+dependencies = [
+    "requests>=2.31.0",
+    "urllib3>=2.0.0",
+    "rich>=13.7.0",
+    "ipaddress>=1.0.23",
+    "scapy>=2.5.0",
+    "paramiko>=3.4.0",
+]
+
+[project.optional-dependencies]
+test = [
+    "pytest>=7.4.0",
+    "pytest-mock>=3.12.0",
+]
+
+[project.urls]
+"Homepage" = "https://github.com/mithun/is-it-safe"
+"Bug Tracker" = "https://github.com/mithun/is-it-safe/issues"
+
+[project.scripts]
+is-it-safe = "is_it_safe.main:main"
+
+[tool.setuptools.packages.find]
+where = ["src"]

is_it_safe-5.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

is_it_safe-5.0.0/src/is_it_safe/main.py

@@ -0,0 +1,181 @@
+#!/usr/bin/env python3
+import argparse
+import sys
+import logging
+import json
+from typing import Optional, Dict, Any, List
+import urllib3
+from urllib.parse import urlparse
+
+from rich.console import Console
+from rich.table import Table
+from rich.panel import Panel
+from rich.logging import RichHandler
+from rich.theme import Theme
+
+from .modules.waf import detect_waf
+from .modules.ids_ips import detect_ids_ips
+from .modules.network import identify_network_layer
+from .modules.fail2ban import detect_fail2ban
+
+# Suppress insecure request warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# Custom theme for professional look
+custom_theme = Theme({
+    "info": "cyan",
+    "warning": "yellow",
+    "error": "bold red",
+    "success": "bold green",
+    "high": "bold green",
+    "medium": "bold yellow",
+    "low": "dim white",
+})
+
+console = Console(theme=custom_theme)
+
+def setup_logging(verbose: bool):
+    """Configure logging with Rich."""
+    logging.basicConfig(
+        level=logging.DEBUG if verbose else logging.WARNING,
+        format="%(message)s",
+        datefmt="[%X]",
+        handlers=[RichHandler(rich_tracebacks=True, console=console)]
+    )
+    
+    # Suppress verbose urllib3 retry warnings
+    logging.getLogger('urllib3').setLevel(logging.ERROR)
+
+def banner():
+    """Print a stylish banner."""
+    banner_text = """
+    ╔╦╗╔═╗  ╦╔╦╗  ╔═╗╔═╗╔═╗╔═╗
+     ║ ╚═╗  ║ ║   ╚═╗╠═╣╠╣ ║╣ 
+    ╩ ╚═╝  ╩ ╩   ╚═╝╩ ╩╚  ╚═╝
+    Stealthy Security Layer Detector v5.0
+    """
+    console.print(Panel(banner_text, style="info", expand=False))
+
+def validate_url(target: str) -> tuple[Optional[str], Optional[str], Optional[str]]:
+    """Validate and normalize the target URL."""
+    if not target:
+        return None, None, "No target provided"
+    
+    if not target.startswith(('http://', 'https://')):
+        normalized_url = f"https://{target}"
+    else:
+        normalized_url = target
+        
+    try:
+        parsed = urlparse(normalized_url)
+        if not parsed.netloc:
+            return None, target, "Missing hostname"
+        return normalized_url, parsed.netloc, None
+    except Exception as e:
+        return None, None, f"URL parsing error: {e}"
+
+def display_results(results: Dict[str, Any], verbose: bool):
+    """Display scan results in a professional table."""
+    table = Table(title=f"Scan Results for: [bold]{results['target']}[/bold]", show_header=True, header_style="bold magenta")
+    table.add_column("Category", style="cyan")
+    table.add_column("Detection", style="white")
+    table.add_column("Confidence", justify="center")
+    
+    categories = {
+        "WAF": results["waf"],
+        "Network": results["network"],
+        "Fail2Ban": results["fail2ban"],
+        "IDS/IPS": results["ids_ips"]
+    }
+    
+    for cat_name, detections in categories.items():
+        for i, d in enumerate(detections):
+            conf = d.get("confidence", "low")
+            conf_style = f"[{conf}]{conf}[/]"
+            
+            row_name = cat_name if i == 0 else ""
+            table.add_row(row_name, d["name"], conf_style)
+            
+            if verbose and d.get("details"):
+                table.add_row("", f"[dim]> {d['details']}[/dim]", "")
+        
+        table.add_section()
+        
+    console.print(table)
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="is-it-safe: Stealthy WAF/IDS/IPS/fail2ban detector v5.0",
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter
+    )
+    parser.add_argument("target", nargs="?", help="Target URL, Hostname, or IP")
+    parser.add_argument("-v", "--version", action="store_true", help="Show version and exit")
+    parser.add_argument("-s", "--stealth", action="store_true", help="Enable maximum stealth (higher jitter)")
+    parser.add_argument("--timeout", type=int, default=10, help="Request timeout in seconds")
+    parser.add_argument("--jitter", action="store_true", help="Add random delays between requests")
+    parser.add_argument("--verbose", action="store_true", help="Show detailed detection signals")
+    parser.add_argument("--json", action="store_true", help="Output results in JSON format")
+    parser.add_argument("--ssh-port", type=int, default=22, help="SSH port for fail2ban detection")
+    args = parser.parse_args()
+
+    if args.version:
+        console.print("is-it-safe v5.0.0")
+        sys.exit(0)
+
+    if not args.target:
+        parser.print_help()
+        console.print("\n[info]Example:[/] [bold]is-it-safe example.com[/bold]")
+        sys.exit(1)
+    
+    setup_logging(args.verbose)
+    
+    url, host, error = validate_url(args.target)
+    
+    if not host:
+        console.print(f"[error]Error:[/] {error}")
+        sys.exit(1)
+
+    if not args.json:
+        banner()
+        console.print(f"[*] Starting scan for [bold cyan]{host}[/]...")
+    
+    # Check if HTTP service is available
+    http_available = url is not None
+    
+    with console.status("[bold green]Scanning security layers...") as status:
+        if http_available:
+            status.update("[bold green]Detecting WAF...")
+            waf_results = detect_waf(url, timeout=args.timeout, jitter=args.jitter or args.stealth)
+            
+            status.update("[bold green]Identifying Network Layer...")
+            network_results = identify_network_layer(url, host=host)
+        else:
+            waf_results = [{"name": "No HTTP service detected", "confidence": "low", "details": "Target has no web service on port 80/443"}]
+            network_results = [{"name": "No HTTP service detected", "confidence": "low", "details": "Target has no web service on port 80/443"}]
+        
+        status.update("[bold green]Probing for Fail2Ban (SSH)...")
+        fail2ban_results = detect_fail2ban(host, port=args.ssh_port)
+        
+        status.update("[bold green]Testing IDS/IPS signals...")
+        if http_available:
+            ids_results = detect_ids_ips(host, url=url, use_tcp=True)
+        else:
+            ids_results = [{"name": "No HTTP service", "confidence": "low", "details": "Skipped - no web service to test"}]
+
+    results = {
+        "target": host,
+        "http_available": http_available,
+        "waf": waf_results,
+        "network": network_results,
+        "fail2ban": fail2ban_results,
+        "ids_ips": ids_results
+    }
+
+    if args.json:
+        print(json.dumps(results, indent=2))
+    else:
+        display_results(results, args.verbose)
+        console.print("\n[success]Scan complete.[/]")
+
+if __name__ == "__main__":
+    main()

is_it_safe-5.0.0/src/is_it_safe/modules/fail2ban.py

@@ -0,0 +1,176 @@
+"""fail2ban detection module for is-it-safe."""
+import logging
+import socket
+import time
+import ipaddress
+from typing import List, Dict, Tuple, Optional
+from .utils import resolve_host
+
+logger = logging.getLogger(__name__)
+
+PARAMIKO_AVAILABLE = False
+try:
+    import paramiko # type: ignore
+    PARAMIKO_AVAILABLE = True
+except ImportError:
+    logger.warning("paramiko not installed - SSH detection limited. Install: pip install paramiko")
+
+INVALID_USERNAMES = ["admin", "root", "user", "test", "guest", "oracle", "ubuntu"]
+DEFAULT_SSH_PORT = 22
+MAX_ATTEMPTS = 4
+
+def is_valid_target(target: str) -> Tuple[bool, Optional[str]]:
+    """Validate that target is a valid IP or hostname."""
+    if not target:
+        return False, "No target provided"
+    
+    try:
+        ipaddress.ip_address(target)
+        return True, None
+    except ValueError:
+        pass
+    
+    if len(target) < 1 or len(target) > 253:
+        return False, "Invalid hostname length"
+    
+    allowed = set("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-.")
+    if not all(c in allowed for c in target):
+        return False, "Invalid characters in target"
+    
+    return True, None
+
+def check_ssh_banner(target_host: str, port: int = 22, timeout: int = 5) -> Optional[str]:
+    """Grab SSH banner to identify service."""
+    try:
+        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+            sock.settimeout(timeout)
+            sock.connect((target_host, port))
+            banner = sock.recv(1024).decode('utf-8', errors='ignore').strip()
+            return banner
+    except Exception as e:
+        logger.debug(f"SSH banner grab failed: {e}")
+        return None
+
+def detect_fail2ban_ssh(target_host: str, port: int = 22, timeout: int = 5) -> List[Dict[str, str]]:
+    """Detect fail2ban by probing SSH with multiple auth attempts."""
+    results = []
+    
+    if not PARAMIKO_AVAILABLE:
+        return [{"name": "paramiko not installed", "confidence": "low", 
+                 "details": "pip install paramiko for SSH detection"}]
+    
+    try:
+        client = paramiko.SSHClient()
+        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+        
+        for i, username in enumerate(INVALID_USERNAMES[:MAX_ATTEMPTS]):
+            start_time = time.time()
+            try:
+                client.connect(
+                    target_host, 
+                    port=port, 
+                    username=username, 
+                    password="wrong_password_12345",
+                    timeout=timeout,
+                    allow_agent=False,
+                    look_for_keys=False
+                )
+                client.close()
+            except paramiko.AuthenticationException:
+                elapsed = time.time() - start_time
+                if elapsed > 3:
+                    results.append({
+                        "name": "Fail2Ban SSH",
+                        "confidence": "high",
+                        "details": f"Slow auth ({elapsed:.1f}s) after {i+1} attempts - possible tarpit"
+                    })
+                    break
+            except paramiko.SSHException as e:
+                error_msg = str(e).lower()
+                if "too many" in error_msg or "ban" in error_msg or "denied" in error_msg:
+                    results.append({
+                        "name": "Fail2Ban SSH",
+                        "confidence": "high",
+                        "details": f"Blocked: {e}"
+                    })
+                    break
+            except socket.timeout:
+                results.append({
+                    "name": "Fail2Ban SSH",
+                    "confidence": "medium", 
+                    "details": "Connection timeout - possible SSH tarpit"
+                })
+                break
+            except EOFError:
+                results.append({
+                    "name": "Fail2Ban SSH", 
+                    "confidence": "high",
+                    "details": "EOF received - possibly banned"
+                })
+                break
+            except Exception as e:
+                logger.debug(f"SSH probe {i+1} error: {e}")
+                
+            time.sleep(0.5)
+            
+    except Exception as e:
+        logger.debug(f"SSH Detection error: {e}")
+    
+    return results
+
+def detect_ssh_service(target_host: str, port: int = 22) -> List[Dict[str, str]]:
+    """Basic SSH service detection."""
+    results = []
+    
+    banner = check_ssh_banner(target_host, port)
+    if banner:
+        if "openssh" in banner.lower():
+            results.append({
+                "name": "SSH (OpenSSH)",
+                "confidence": "high",
+                "details": banner.strip()
+            })
+        elif "dropbear" in banner.lower():
+            results.append({
+                "name": "SSH (Dropbear)",
+                "confidence": "high", 
+                "details": banner.strip()
+            })
+        else:
+            results.append({
+                "name": "SSH Service",
+                "confidence": "medium",
+                "details": banner.strip()
+            })
+    
+    return results
+
+def detect_fail2ban(target: str, port: int = 22) -> List[Dict[str, str]]:
+    """Combined fail2ban detection for SSH."""
+    all_results = []
+    
+    valid, error = is_valid_target(target)
+    if not valid:
+        return [{"name": "Invalid target", "confidence": "low", "details": error or "Target validation failed"}]
+    
+    host = target
+    if "://" in host:
+        host = host.split("://")[1].split("/")[0]
+    
+    if not host:
+        return [{"name": "No target", "confidence": "low", "details": "Invalid target"}]
+    
+    ssh_service = detect_ssh_service(host, port)
+    if not ssh_service:
+        all_results.append({"name": "No SSH service", "confidence": "low", "details": "SSH port closed/not found"})
+        return all_results
+    
+    all_results.extend(ssh_service)
+    
+    if PARAMIKO_AVAILABLE:
+        fail2ban_results = detect_fail2ban_ssh(host, port)
+        all_results.extend(fail2ban_results)
+    else:
+        all_results.append({"name": "paramiko needed", "confidence": "low", "details": "Install paramiko for fail2ban detection"})
+    
+    return all_results

is_it_safe-5.0.0/src/is_it_safe/modules/ids_ips.py

@@ -0,0 +1,104 @@
+"""IDS/IPS detection module for is-it-safe."""
+import os
+import logging
+import time
+from typing import List, Dict, Any, Optional
+from .utils import safe_request
+
+logger = logging.getLogger(__name__)
+
+SCAPY_AVAILABLE = False
+try:
+    from scapy.all import IP, TCP, sr1 # type: ignore
+    SCAPY_AVAILABLE = True
+except ImportError:
+    logger.warning("scapy not installed - TCP-level IDS/IPS detection disabled")
+
+def detect_ids_ips_tcp(target_host: str, port: int = 80) -> List[Dict[str, str]]:
+    """Detect IDS/IPS using TCP-level signals."""
+    results = []
+    
+    if not SCAPY_AVAILABLE:
+        results.append({"name": "scapy required", "confidence": "low", "details": "Install scapy for TCP detection: pip install scapy"})
+        return results
+    
+    if os.geteuid() != 0:
+        results.append({"name": "root required", "confidence": "low", "details": "Run as root for TCP-level IDS/IPS detection"})
+        return results
+    
+    try:
+        # 1. Test for TCP Reset on suspicious payload-like sequence numbers or unusual flags
+        pkt_syn = IP(dst=target_host)/TCP(dport=port, flags="S", seq=12345)
+        start = time.time()
+        ans = sr1(pkt_syn, timeout=2, verbose=0)
+        
+        if not ans:
+            results.append({"name": "Packet Drop", "confidence": "medium", "details": "No response to SYN packet"})
+        elif ans.haslayer(TCP):
+            if ans[TCP].flags == 0x14: # RST-ACK
+                results.append({"name": "TCP Reset", "confidence": "high", "details": "Immediate RST received"})
+        
+        # 2. Timing anomalies (Latency spikes)
+        latencies = []
+        for _ in range(3):
+            s = time.time()
+            sr1(IP(dst=target_host)/TCP(dport=port, flags="S"), timeout=1, verbose=0)
+            latencies.append(time.time() - s)
+        
+        if max(latencies) - min(latencies) > 0.5:
+             results.append({"name": "Timing Anomaly", "confidence": "low", "details": "Jitter/latency spike detected"})
+
+    except Exception as e:
+        logger.warning(f"TCP IDS/IPS detection error: {e}")
+    
+    return results
+
+def detect_ids_ips_http(target_url: str) -> List[Dict[str, str]]:
+    """Detect IDS/IPS using HTTP-level signals (Rate limiting, blocking)."""
+    results = []
+    
+    # 1. Rate limiting behavior
+    codes = []
+    for _ in range(5):
+        resp = safe_request(target_url, timeout=5)
+        if resp:
+            codes.append(resp.status_code)
+        else:
+            codes.append(None)
+    
+    if 429 in codes:
+        results.append({"name": "Rate Limiting", "confidence": "high", "details": "HTTP 429 received after rapid requests"})
+    elif codes.count(None) >= 2:
+        results.append({"name": "Connection Instability", "confidence": "medium", "details": "Intermittent connection drops detected"})
+
+    # 2. Suspicious payload blocking
+    suspicious_payloads = ["/etc/passwd", "?id=1' OR '1'='1"]
+    for p in suspicious_payloads:
+        try:
+            resp = safe_request(target_url + p, timeout=5)
+            if resp is None:
+                results.append({"name": "Likely IPS", "confidence": "high", "details": f"Connection reset on payload: {p}"})
+        except Exception:
+            pass
+
+    return results
+
+def detect_ids_ips(target: str, url: Optional[str] = None, use_tcp: bool = True) -> List[Dict[str, str]]:
+    """Combined IDS/IPS detection."""
+    all_results = []
+    
+    if url:
+        all_results.extend(detect_ids_ips_http(url))
+    
+    if use_tcp:
+        host = target
+        if "://" in host:
+            host = host.split("://")[1].split("/")[0]
+        
+        tcp_res = detect_ids_ips_tcp(host)
+        all_results.extend(tcp_res)
+    
+    if not all_results:
+        return [{"name": "No strong evidence", "confidence": "low", "details": "No IDS/IPS signals detected"}]
+    
+    return all_results

is_it_safe-5.0.0/src/is_it_safe/modules/network.py

@@ -0,0 +1,53 @@
+"""Network layer identification module for is-it-safe."""
+import logging
+import socket
+from typing import List, Dict
+from .utils import safe_request, resolve_host
+
+logger = logging.getLogger(__name__)
+
+CDN_SIGNATURES = {
+    "Cloudflare": ["cloudflare", "cf-ray"],
+    "Akamai": ["akamai", "edgekey"],
+    "AWS CloudFront": ["cloudfront"],
+    "Fastly": ["fastly"],
+    "Google Cloud": ["google"],
+    "Azure Front Door": ["azure"],
+    "Incapsula": ["incapsula", "imperva"]
+}
+
+def identify_network_layer(url: str, host: str) -> List[Dict[str, str]]:
+    """Identify CDN and infrastructure providers."""
+    results = []
+    
+    # 1. DNS-based identification (CNAME/PTR)
+    try:
+        # Basic reverse DNS check if possible, or just look for known patterns in hostname
+        addr = resolve_host(host)
+        if addr:
+            try:
+                ptr = socket.gethostbyaddr(addr)[0]
+                for provider, sigs in CDN_SIGNATURES.items():
+                    for sig in sigs:
+                        if sig in ptr.lower():
+                            results.append({"name": f"{provider} (DNS)", "confidence": "high", "details": f"PTR: {ptr}"})
+                            break
+            except (socket.herror, socket.gaierror):
+                pass
+    except Exception as e:
+        logger.debug(f"DNS identification error: {e}")
+
+    # 2. Header-based identification (redundant with WAF but good for network layer)
+    resp = safe_request(url, timeout=5)
+    if resp:
+        server_header = resp.headers.get("Server", "").lower()
+        for provider, sigs in CDN_SIGNATURES.items():
+            for sig in sigs:
+                if sig in server_header:
+                    results.append({"name": f"{provider} (Header)", "confidence": "high", "details": f"Server: {resp.headers.get('Server')}"})
+                    break
+
+    if not results:
+        results.append({"name": "Generic Infrastructure", "confidence": "low", "details": "No specific CDN/Cloud provider detected"})
+        
+    return results

is_it_safe-5.0.0/src/is_it_safe/modules/utils.py

@@ -0,0 +1,101 @@
+"""Utility functions for is-it-safe."""
+import logging
+import random
+import time
+import socket
+from typing import Optional, Dict, List, Any
+import requests
+from requests.adapters import HTTPAdapter
+from urllib3.util.retry import Retry
+
+logger = logging.getLogger(__name__)
+
+USER_AGENTS = [
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",
+    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15",
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Edge/120.0.0.0"
+]
+
+def get_random_headers() -> Dict[str, str]:
+    """Return randomized HTTP headers."""
+    return {
+        "User-Agent": random.choice(USER_AGENTS),
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate, br",
+        "Connection": "keep-alive",
+        "Upgrade-Insecure-Requests": "1",
+        "Sec-Fetch-Dest": "document",
+        "Sec-Fetch-Mode": "navigate",
+        "Sec-Fetch-Site": "none",
+        "Sec-Fetch-User": "?1",
+        "DNT": "1"
+    }
+
+def apply_jitter(enabled: bool = True, min_delay: float = 0.5, max_delay: float = 1.5) -> None:
+    """Add random delay between requests for stealth."""
+    if enabled:
+        delay = random.uniform(min_delay, max_delay)
+        logger.debug(f"Applying jitter: {delay:.2f}s")
+        time.sleep(delay)
+
+def resolve_host(target: str) -> Optional[str]:
+    """Resolve hostname to IP address."""
+    try:
+        # Strip protocol if present
+        if "://" in target:
+            target = target.split("://")[1].split("/")[0]
+        return socket.gethostbyname(target)
+    except socket.gaierror:
+        return None
+
+def safe_request(url: str, timeout: int = 10, allow_redirects: bool = True, headers: Optional[Dict[str, str]] = None) -> Optional[requests.Response]:
+    """Make a safe HTTP request with retries and error handling."""
+    if headers is None:
+        headers = get_random_headers()
+        
+    session = requests.Session()
+    retries = Retry(total=2, backoff_factor=0.1, status_forcelist=[500, 502, 503, 504])
+    session.mount('http://', HTTPAdapter(max_retries=retries))
+    session.mount('https://', HTTPAdapter(max_retries=retries))
+
+    try:
+        response = session.get(
+            url, 
+            headers=headers, 
+            timeout=timeout, 
+            allow_redirects=allow_redirects,
+            verify=True
+        )
+        return response
+    except requests.exceptions.SSLError as e:
+        logger.warning(f"SSL verification failed for {url}, falling back to verify=False: {e}")
+        try:
+            response = session.get(
+                url, 
+                headers=headers, 
+                timeout=timeout, 
+                allow_redirects=allow_redirects,
+                verify=False
+            )
+            return response
+        except requests.RequestException as e:
+            logger.debug(f"Request error for {url}: {e}")
+            return None
+    except requests.RequestException as e:
+        logger.debug(f"Request error for {url}: {e}")
+        return None
+
+def calculate_confidence(matches: int, total_signals: int) -> str:
+    """Calculate confidence level based on signal matches."""
+    if total_signals == 0:
+        return "low"
+    ratio = matches / total_signals
+    if ratio >= 0.8:
+        return "high"
+    elif ratio >= 0.4:
+        return "medium"
+    return "low"

is_it_safe-5.0.0/src/is_it_safe/modules/waf.py

@@ -0,0 +1,149 @@
+"""WAF detection module for is-it-safe."""
+import logging
+from typing import List, Dict, Any, Optional, Set
+from .utils import safe_request, apply_jitter
+
+logger = logging.getLogger(__name__)
+
+WAF_SIGNATURES = {
+    "Cloudflare": {
+        "headers": ["cf-ray", "cf-cache-status", "server: cloudflare"],
+        "cookies": ["__cfduid", "cf_clearance"],
+        "confidence": "high"
+    },
+    "Akamai": {
+        "headers": ["x-akamai", "akamai-ghost", "server: akamaighost"],
+        "cookies": ["ak_bmsc", "bm_sz"],
+        "confidence": "high"
+    },
+    "AWS CloudFront": {
+        "headers": ["x-amz-cf-id", "x-amz-cf-pop", "server: cloudfront"],
+        "cookies": [],
+        "confidence": "high"
+    },
+    "Imperva/Incapsula": {
+        "headers": ["x-iinfo", "incap_ses", "x-cdn: incapsula"],
+        "cookies": ["incap_ses", "visid_incap"],
+        "confidence": "high"
+    },
+    "Sucuri": {
+        "headers": ["x-sucuri-id", "x-sucuri-cache", "server: sucuri/cloudproxy"],
+        "cookies": ["sucuri_cloudproxy_uuid"],
+        "confidence": "high"
+    },
+    "F5 BIG-IP": {
+        "headers": ["x-cpro-rule", "server: big-ip", "x-wa-info"],
+        "cookies": ["bigipserver", "mrhsessions"],
+        "confidence": "medium"
+    },
+    "ModSecurity": {
+        "headers": ["x-mod-security", "server: mod_security"],
+        "cookies": ["noYB"],
+        "confidence": "medium"
+    },
+    "Barracuda": {
+        "headers": ["server: barracuda", "x-barracuda-brts"],
+        "cookies": ["barra_counter_session", "bni__b_pool"],
+        "confidence": "medium"
+    },
+    "FortiWeb": {
+        "headers": ["server: fortiweb-waf"],
+        "cookies": ["fortiwafsid"],
+        "confidence": "high"
+    },
+    "Radware AppWall": {
+        "headers": ["x-sl-compid", "server: radware"],
+        "cookies": [],
+        "confidence": "medium"
+    }
+}
+
+BENIGN_PAYLOADS = ["", "?id=1", "/favicon.ico"]
+SUSPICIOUS_PAYLOADS = ["?id=1' OR '1'='1", "?id=<script>alert(1)</script>", "/etc/passwd", "?cmd=ls"]
+
+def check_response_for_waf(response: Any, waf_name: str) -> bool:
+    """Check if response headers/cookies match WAF signatures."""
+    if not response:
+        return False
+    
+    sigs = WAF_SIGNATURES[waf_name]
+    headers_str = "\n".join([f"{k}: {v}" for k, v in response.headers.items()]).lower()
+    
+    for header in sigs["headers"]:
+        if header.lower() in headers_str:
+            return True
+            
+    for cookie in response.cookies.keys():
+        for sig_cookie in sigs["cookies"]:
+            if sig_cookie.lower() in cookie.lower():
+                return True
+                
+    return False
+
+def test_response_behavior(url: str, jitter: bool = True) -> Optional[Dict[str, Any]]:
+    """Compare behavior between benign and suspicious payloads."""
+    apply_jitter(enabled=jitter)
+    benign_resp = safe_request(url)
+    if not benign_resp:
+        return None
+    
+    apply_jitter(enabled=jitter)
+    for payload in SUSPICIOUS_PAYLOADS:
+        # Properly append query params
+        if "?" in url:
+            suspicious_url = url + "&" + payload.lstrip("?")
+        else:
+            suspicious_url = url + payload
+        resp = safe_request(suspicious_url)
+        
+        if not resp:
+            # Connection dropped/reset often indicates a WAF/IPS
+            return {"type": "Connection Drop", "payload": payload}
+            
+        if resp.status_code != benign_resp.status_code:
+            if resp.status_code in [403, 406, 501, 429, 999]:
+                return {"type": "Status Code Change", "code": resp.status_code, "payload": payload}
+        
+        # Check for WAF strings in body (some WAFs return 200 with a block page)
+        block_keywords = ["blocked by", "waf", "security challenge", "incident id", "request id"]
+        for kw in block_keywords:
+            if kw in resp.text.lower() and kw not in benign_resp.text.lower():
+                return {"type": "Block Page Content", "keyword": kw, "payload": payload}
+                
+    return None
+
+def detect_waf(target_url: str, timeout: int = 10, jitter: bool = True) -> List[Dict[str, str]]:
+    """Detect WAF with confidence scoring."""
+    results = []
+    matched_wafs: Set[str] = set()
+    
+    response = safe_request(target_url, timeout=timeout)
+    if not response:
+        return [{"name": "Unable to connect", "confidence": "low", "details": "Initial request failed"}]
+    
+    # Signature matching - only one WAF per detection
+    for waf_name in WAF_SIGNATURES:
+        if check_response_for_waf(response, waf_name):
+            matched_wafs.add(waf_name)
+    
+    # Prioritize high confidence matches
+    for waf_name in matched_wafs:
+        results.append({
+            "name": waf_name, 
+            "confidence": WAF_SIGNATURES[waf_name]["confidence"],
+            "details": "Signature match in headers/cookies"
+        })
+    
+    # Behavioral testing
+    behavior = test_response_behavior(target_url, jitter)
+    if behavior:
+        results.append({
+            "name": "Generic Behavioral WAF", 
+            "confidence": "medium",
+            "details": f"Behavioral anomaly: {behavior['type']} on payload '{behavior.get('payload', '')}'"
+        })
+    
+    if not results:
+        results.append({"name": "No WAF detected", "confidence": "low", "details": "No signatures or behavioral anomalies found"})
+    
+    return results

is_it_safe-5.0.0/src/is_it_safe.egg-info/PKG-INFO

@@ -0,0 +1,92 @@
+Metadata-Version: 2.4
+Name: is-it-safe
+Version: 5.0.0
+Summary: Stealthy Security Layer Detector (WAF/IDS/IPS/Fail2Ban)
+Author-email: Mithun <mitchastertheblaster@gmail.com>
+Project-URL: Homepage, https://github.com/mithun/is-it-safe
+Project-URL: Bug Tracker, https://github.com/mithun/is-it-safe/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Topic :: Security
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.31.0
+Requires-Dist: urllib3>=2.0.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: ipaddress>=1.0.23
+Requires-Dist: scapy>=2.5.0
+Requires-Dist: paramiko>=3.4.0
+Provides-Extra: test
+Requires-Dist: pytest>=7.4.0; extra == "test"
+Requires-Dist: pytest-mock>=3.12.0; extra == "test"
+Dynamic: license-file
+
+# is-it-safe 🛡️
+
+[![PyPI version](https://img.shields.io/pypi/v/is-it-safe.svg)](https://pypi.org/project/is-it-safe/)
+[![Python versions](https://img.shields.io/pypi/pyversions/is-it-safe.svg)](https://pypi.org/project/is-it-safe/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Stealthy Security Layer Fingerprinting & Detection v5.0**
+
+`is-it-safe` is a modern, high-performance security utility designed to map and identify protective layers surrounding a target without triggering aggressive defense mechanisms. It provides deep visibility into infrastructure security by fingerprinting WAFs, IDS/IPS, and automated blocking systems.
+
+##  Key Features
+
+*   🛡️ **WAF Fingerprinting:** Identifies 10+ major WAF vendors (Cloudflare, Akamai, AWS, Imperva, etc.) via signature-based and behavioral analysis.
+*   🕵️ **Stealth-First Detection:** Implements adaptive jitter, randomized headers, and low-signal request patterns to bypass basic rate-limiters and heuristics.
+*   🚦 **IDS/IPS Probing:** Uses low-level TCP signals and HTTP response anomalies to detect deep packet inspection and network-level interception.
+*   🚫 **Fail2Ban Discovery:** Safely identifies SSH tarpits, "honey-pots," and active ban policies through non-destructive authentication probing.
+*   🎨 **Modern Interface:** Built with `rich` for professional, structured terminal output and high-visibility results.
+*   🤖 **Automation Ready:** Native JSON output mode for seamless integration into larger security pipelines.
+
+##  Installation
+
+### The Modern Way (Recommended)
+Use [uv](https://github.com/astral-sh/uv) for the fastest experience:
+
+```bash
+# Run instantly without installing
+uvx is-it-safe example.com
+
+# Or install it
+uv pip install is-it-safe
+```
+
+### The Traditional Way
+```bash
+pip install is-it-safe
+```
+
+### From Source
+```bash
+git clone https://github.com/your-username/is-it-safe.git
+cd is-it-safe
+pip install .
+```
+
+## 🛠 Usage
+
+```bash
+# Basic scan
+is-it-safe example.com
+
+# Verbose scan with stealth enabled
+is-it-safe example.com --stealth --verbose
+
+# Scan specific SSH port for Fail2Ban
+sudo is-it-safe example.com --ssh-port 2222
+
+# Output results as JSON
+is-it-safe example.com --json > results.json
+```
+
+> [!IMPORTANT]
+> Some IDS/IPS detection features require **root privileges** for raw socket access.
+
+## 📜 License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+

is_it_safe-5.0.0/src/is_it_safe.egg-info/SOURCES.txt

@@ -0,0 +1,19 @@
+LICENSE
+README.md
+pyproject.toml
+src/is_it_safe/__init__.py
+src/is_it_safe/main.py
+src/is_it_safe.egg-info/PKG-INFO
+src/is_it_safe.egg-info/SOURCES.txt
+src/is_it_safe.egg-info/dependency_links.txt
+src/is_it_safe.egg-info/entry_points.txt
+src/is_it_safe.egg-info/requires.txt
+src/is_it_safe.egg-info/top_level.txt
+src/is_it_safe/modules/__init__.py
+src/is_it_safe/modules/fail2ban.py
+src/is_it_safe/modules/ids_ips.py
+src/is_it_safe/modules/network.py
+src/is_it_safe/modules/utils.py
+src/is_it_safe/modules/waf.py
+tests/test_core.py
+tests/test_waf.py

is_it_safe-5.0.0/src/is_it_safe.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

is_it_safe-5.0.0/src/is_it_safe.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+is-it-safe = is_it_safe.main:main

is_it_safe-5.0.0/src/is_it_safe.egg-info/requires.txt

@@ -0,0 +1,10 @@
+requests>=2.31.0
+urllib3>=2.0.0
+rich>=13.7.0
+ipaddress>=1.0.23
+scapy>=2.5.0
+paramiko>=3.4.0
+
+[test]
+pytest>=7.4.0
+pytest-mock>=3.12.0

is_it_safe-5.0.0/src/is_it_safe.egg-info/top_level.txt

@@ -0,0 +1 @@
+is_it_safe

is_it_safe-5.0.0/tests/test_core.py

@@ -0,0 +1,31 @@
+import pytest
+from is_it_safe.main import validate_url
+from is_it_safe.modules.utils import calculate_confidence
+
+def test_validate_url():
+    # Test with protocol
+    url, host, error = validate_url("https://example.com")
+    assert url == "https://example.com"
+    assert host == "example.com"
+    assert error is None
+
+    # Test without protocol
+    url, host, error = validate_url("example.com")
+    assert url == "https://example.com"
+    assert host == "example.com"
+    assert error is None
+
+    # Test invalid URL
+    url, host, error = validate_url("")
+    assert url is None
+    assert host is None
+    assert error == "No target provided"
+
+def test_calculate_confidence():
+    assert calculate_confidence(10, 10) == "high"
+    assert calculate_confidence(8, 10) == "high"
+    assert calculate_confidence(5, 10) == "medium"
+    assert calculate_confidence(4, 10) == "medium"
+    assert calculate_confidence(2, 10) == "low"
+    assert calculate_confidence(0, 10) == "low"
+    assert calculate_confidence(0, 0) == "low"

is_it_safe-5.0.0/tests/test_waf.py

@@ -0,0 +1,40 @@
+import pytest
+from unittest.mock import MagicMock
+from is_it_safe.modules.waf import check_response_for_waf, detect_waf
+
+def test_check_response_for_waf():
+    # Mock response with Cloudflare headers
+    mock_resp = MagicMock()
+    mock_resp.headers = {"cf-ray": "12345", "server": "cloudflare"}
+    mock_resp.cookies = {}
+    
+    assert check_response_for_waf(mock_resp, "Cloudflare") is True
+    assert check_response_for_waf(mock_resp, "Akamai") is False
+
+def test_check_response_for_waf_cookies():
+    # Mock response with Akamai cookies
+    mock_resp = MagicMock()
+    mock_resp.headers = {}
+    mock_resp.cookies = {"ak_bmsc": "somevalue"}
+    
+    assert check_response_for_waf(mock_resp, "Akamai") is True
+
+@pytest.fixture
+def mock_safe_request(mocker):
+    return mocker.patch("is_it_safe.modules.waf.safe_request")
+
+def test_detect_waf_signature_match(mock_safe_request):
+    mock_resp = MagicMock()
+    mock_resp.headers = {"cf-ray": "12345"}
+    mock_resp.cookies = {}
+    mock_safe_request.return_value = mock_resp
+    
+    results = detect_waf("https://example.com")
+    assert any(r["name"] == "Cloudflare" for r in results)
+    assert any(r["confidence"] == "high" for r in results)
+
+def test_detect_waf_no_connection(mock_safe_request):
+    mock_safe_request.return_value = None
+    
+    results = detect_waf("https://example.com")
+    assert results[0]["name"] == "Unable to connect"