Endlessh

Endlessh – SSH tarpit

Last Updated on August 11, 2021

In Operation

We can check that the program is running by attempting to login via ssh to the port that endlessh is running on with the -vvv flag (the verbose option). If you’re installed the program correctly, you’ll see entries like:

debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: kex_exchange_identification: banner line 0: ;eu5B
debug1: kex_exchange_identification: banner line 1: -,]LNm..*$D-j4MRgj
debug1: kex_exchange_identification: banner line 2: 4Ej`tp"I-K}n_b#x[}
debug1: kex_exchange_identification: banner line 3: Zz+nC$6bxtC;bF F7{Lu@p
debug1: kex_exchange_identification: banner line 4: :
debug1: kex_exchange_identification: banner line 5: %^QUmS,}n99F[w6\\d:Uc;$qw5,|I)]
debug1: kex_exchange_identification: banner line 6: .)TX
debug1: kex_exchange_identification: banner line 7: 'Yv:DV]zZVh0WvU0Y;x!7|ZTrbr
debug1: kex_exchange_identification: banner line 8: |;|%3uE2O3KL"oVf4UDgE_40
debug1: kex_exchange_identification: banner line 9: z]6
debug1: kex_exchange_identification: banner line 10: >^nPTk(tMC@E.|y,Nn(ZB<uQG~X debug1: kex_exchange_identification: banner line 11: ?T.nGe8N5gtK+}"!c7$[5"; debug1: kex_exchange_identification: banner line 12: ImCq]y10$[3K~MC]lHWIj%~ debug1: kex_exchange_identification: banner line 13: b9IeIbR@01,MkR0=1>
debug1: kex_exchange_identification: banner line 14: PdONO ^gmJ
debug1: kex_exchange_identification: banner line 15: I
debug1: kex_exchange_identification: banner line 16: 7B.`/*1lU&fzKBNt
debug1: kex_exchange_identification: banner line 17: 259`Q;4L-ex{!7e

You’ll see the log is showing that banner lines of gibberish are being generated. These banner lines are created really slowly. This keeps SSH clients locked up for hours or even days at a time.

As the tarpit is in the banner before any cryptographic exchange occurs, there’s no requirement for any cryptographic libraries, and no requirement for any knowledge about the SSH protocol.

The config file lets you define which port the software listens for new SSH connections, the delay in sending each individual line of the banner, the maximum length of each line, the maximum number of connections to accept at a time. You can also define the detail level of the log, and whether the listening socket uses IPv4, IPV6, or both.

Next page: Page 3 – Summary

Pages in this article:
Page 1 – Introduction / Installation
Page 2 – In Operation
Page 3 – Summary

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

7 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Smouch
Smouch
3 years ago

What is the point ?

If you’re trying secure your SSH server by running against an unusual port, you’re doing it wrong. Security through obscurity is not a solution.

If you are trying to waste someone’s time, I have to ask why you care how someone else uses their time.

Alanmeister
Alanmeister
3 years ago
Reply to  Smouch

I ask why do you care what the developer of Endlessh spends his time doing? It’s up to him what he wants to write.

Really your comment just comes across as rather snide.

xyz
xyz
3 years ago
Reply to  Alanmeister

I also think this approach does not make any sense, please let me explain why:
If you run a public accessible ssh service on port 22, you will probably notice several thousands login attempts per day (at least my experience). Now imagine what happens with this endlessh… you would likely end up with endless 😉 open tcp connection wasting your resources instead of script kiddies time because as name already suggests, they run their discovery in an automated and parallel way.

So a valuable posting could be something about firewall settings like dropping packets so incoming connections doesn’t even get one packet back that in turn is least resource consuming as well as secure.

Alanmeister
Alanmeister
3 years ago
Reply to  xyz

You are probably a troll but here goes:

1) I wasn’t defending the developer’s approach. I was defending his right to code what he wants.
2) You won’t end up with endless open tcp connections, the idea of the program is that port 22 isn’t running a server although it appears to the script-kiddie it is.
3) The reviewer explains that there are far more effective ways of securing a system, so I don’t understand your point. And there are tons of posts/books on how to configure a firewall already available.
4) Who are you? Let’s see some of your open source projects. I’ll be happy to evaluate them. Or it’s possible you’ve contributed nothing to the open source community.

Jay Sanders
Jay Sanders
3 years ago

While the intent is good, the truth is that most attacking scripts will just kill their side of the connection after a few seconds, at worst, simply starting over again. This is not a conjecture, but exactly what I see in my logs when I use endlessh.

Vimster
Vimster
3 years ago
Reply to  Jay Sanders

Endlessh is almost useless as a practical tool. But that equally applies to your ‘analysis’. Conjecture is an opinion or conclusion formed on the basis of incomplete information. Testing by one individual with no proof or evidence provided definitely falls into the definition of incomplete information. Hence it’s conjecture. I have seen attacking scripts not give up. Again that’s testing by one individual.

Grahame
Grahame
3 years ago
Reply to  Vimster

That’s right, it’s an anecdote at best.