Endlessh

Endlessh – SSH tarpit

Last Updated on August 11, 2021

SSH or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.

SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rsh and the related rlogin and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.

The SSH protocol specifications include a banner which is text that’s displayed when someone tries to log into a server via SSH. That specification doesn’t define any limit on the number of lines of text in that banner, nor does it specify any length of time to display that banner. Endlessh makes use of these two facts to help waste a script-kiddie’s time. Endlessh sends an endless stream of randomly-generated “other lines of data” without ever intending to send a version string. It waits a specified time between each line. This slows down the protocol, but prevents it from actually timing out.

In essence, Endlessh pretends to be a real SSH server, but it doesn’t use SSH at all. You run it on the standard port for SSH (which is 22). But you run your actual SSH server on a different port, say 69. When a script-kiddie’s script attempts to log in to the SSH server they are actually accessing Endlessh and get caught in a loop.

Installation

First we clone the project’s GitHub repository.

$ git clone https://github.com/skeeto/endlessh

Change into the project’s directory and compile the software.

$ cd endlessh
$ make

We can then move the executable to a directory in our path.

$ sudo make install

Enable the service with the commands:

$ sudo cp util/endlessh.service /etc/systemd/system
$ sudo systemctl enable endlessh

You’ll get the message “Created symlink /etc/systemd/system/multi-user.target.wants/endlessh.service → /etc/systemd/system/endlessh.service.”

Next we need to create the program’s configuration file.

$ sudo mkdir -p /etc/endlessh
$ sudo pico /etc/endlessh/config

There’s a sample config file on the GitHub’s project page that can be copy and pasted into the config file. Note, that the same config puts the tarpit on port 2222, but you’ll probably want it running on port 22 (as you’ll move SSH to a different port).

Now we’re ready to run the software with the command:

$ sudo systemctl start endlessh

Next page: Page 2 – In Operation

Pages in this article:
Page 1 – Introduction / Installation
Page 2 – In Operation
Page 3 – Summary

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Please read our FAQ before making a comment.

7 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Smouch
Smouch
3 years ago

What is the point ?

If you’re trying secure your SSH server by running against an unusual port, you’re doing it wrong. Security through obscurity is not a solution.

If you are trying to waste someone’s time, I have to ask why you care how someone else uses their time.

Alanmeister
Alanmeister
3 years ago
Reply to  Smouch

I ask why do you care what the developer of Endlessh spends his time doing? It’s up to him what he wants to write.

Really your comment just comes across as rather snide.

xyz
xyz
3 years ago
Reply to  Alanmeister

I also think this approach does not make any sense, please let me explain why:
If you run a public accessible ssh service on port 22, you will probably notice several thousands login attempts per day (at least my experience). Now imagine what happens with this endlessh… you would likely end up with endless 😉 open tcp connection wasting your resources instead of script kiddies time because as name already suggests, they run their discovery in an automated and parallel way.

So a valuable posting could be something about firewall settings like dropping packets so incoming connections doesn’t even get one packet back that in turn is least resource consuming as well as secure.

Alanmeister
Alanmeister
3 years ago
Reply to  xyz

You are probably a troll but here goes:

1) I wasn’t defending the developer’s approach. I was defending his right to code what he wants.
2) You won’t end up with endless open tcp connections, the idea of the program is that port 22 isn’t running a server although it appears to the script-kiddie it is.
3) The reviewer explains that there are far more effective ways of securing a system, so I don’t understand your point. And there are tons of posts/books on how to configure a firewall already available.
4) Who are you? Let’s see some of your open source projects. I’ll be happy to evaluate them. Or it’s possible you’ve contributed nothing to the open source community.

Jay Sanders
Jay Sanders
3 years ago

While the intent is good, the truth is that most attacking scripts will just kill their side of the connection after a few seconds, at worst, simply starting over again. This is not a conjecture, but exactly what I see in my logs when I use endlessh.

Vimster
Vimster
3 years ago
Reply to  Jay Sanders

Endlessh is almost useless as a practical tool. But that equally applies to your ‘analysis’. Conjecture is an opinion or conclusion formed on the basis of incomplete information. Testing by one individual with no proof or evidence provided definitely falls into the definition of incomplete information. Hence it’s conjecture. I have seen attacking scripts not give up. Again that’s testing by one individual.

Grahame
Grahame
3 years ago
Reply to  Vimster

That’s right, it’s an anecdote at best.