
Endlessh: An SSH Tarpit - elliebike
https://github.com/skeeto/endlessh
======
xoa
Are tarpits still of use these days? I sort of figured that even modern script
mass attackers have gotten professionalized and sophisticated enough that they
can deal with trivial timeouts and the like. I could see actual honeypots
still being of use for researchers or blue teams at organizations that are
real targets, and ML might even open up some interesting new ways to make
those more engaging for longer. But a tarpit doesn't seem like it'd cause
bother for drive-by or APT, the former are all about volume so if something
takes more than a few seconds just skip it (and maybe flag it as a tarpit for
punishment) and an APT will instantly recognize it too.

For individuals and smaller orgs I've sort of felt like keeping your head
down, running a wg/ssh bastion with a non-standard port maybe along with
single packet auth or even plain old port knocking to reduce log spam from
random drive-by is more effective and attainable for places without any sort
of dedicated security or even constant in-house IT staff. Running a tarpit on
a VPS seems like it'd fail to bother most these days, and running it on an
actual IP seems like at best it'd have no effect and at worst if it ever
actually held up a scanner and the operator noticed they might decide to
direct some actual attention to that IP, or at least throw a mild ddos at it
for a bit. Am I wrong or out of date on that? I'm all for sticking it to bad
actors and efforts to reduce the economic incentives, but in 2020 tarpits
strike me as kind of obsolete with some risk to boot.

~~~
belorn
For individuals and smaller orgs the easiest and by experience the best
practice is to use a certificate (or generated and never to be reused
password) for ssh authentication, install server monitoring, and then simply
observe if the spam from random drive-by causes enough resource drain that
would validate further work. Most likely it won't.

Running a tar pit is a bit like installing a trap on a bike in order to teach
bike thieves a lesson. It won't really reduce the problem, but for a lot of
people the idea of vengeance gives a bit of a warm happy feeling.

~~~
toyg
_> Running a tar pit is a bit like installing a trap on a bike in order to
teach bike thieves a lesson._

It's more like approaching a thief and persuading him to steal some bike "just
around the corner", then guiding him around endlessly. While he's following
you, he's also not stealing anything from anyone, his attention (which is
naturally finite) gets drained - even just a little bit - to the benefit of
the community as a whole. It's not necessarily about vengeance.

~~~
kebman
Tangent story. Two friends of mine went backpacking to Amsterdam, short pants
and all. When they got out of the train in the evening, a friendly guy
approached them and asked if they were looking for a hotel. They said yes, so
he told them to follow him. Delighted to be greeted in this way, they did.

First they went down the regular path up Damrak to get to Leidseplein, but
slowly and imperceptibly the streets were getting narrower and narrower, until
they finally reached a dead end. That's when the guy whirled around, flipped
out a small pocket knife and wheezed to them, "Gimme all your cash! NOW!"

The guys looked at each other, and then looked at him, and then one of the
guys calmly told him, "Look, we're two guys, and you're just one. Even if you
get one of us, the other will beat your head in. You can't win this."

The mugger looked puzzled for a moment, but then he retorted, "Ok, give me
_half_ your money then, and nobody gets hurt!" Not wanting to be the first guy
who got stabbed, they agreed that, "Fine, we'll give you half! But only if you
promise to not stab us." And so the deal went down, and they had finally
arrived in Amsterdam.

~~~
jjeaff
People will approach tourists a lot like this in central and south america,
but the end game tends to be to take the tourist to an inn or restaurant where
they get a commission for taking them.

I've never gone with anyone anywhere but very public spaces. But I actually
have found some real gems tucked away off the beaten path this way.

~~~
milesvp
A friend and I took a day trip to Morocco many years ago while backpacking
through Spain and experienced this. A local guide approached us who came
across as pretty legit and had a driver. We had a good time being shown around
to different stores and it was pretty clear that he was getting a kickback
from the places we went. Had some nice mint tea, and a pretty good meal later.

There was a slightly dark time in the middle though, where my friend and I
were sure we were going to be mugged and left for dead when we were driving
further and further from the city. I've never experienced anything quite like
it before or since. We both looked at each other, and in an instant with a
single expression we were both able to convey that "I love you and we're going
to die". We were totally relieved when it turned out they just wanted to show
a scenic view by the sea, while showing us a lot of very rich mansions along
the way.

Was totally surreal, though, and I'm not sure how lucky we were.

~~~
kebman
Danish Louisa Vesterager Jespersen (24) and Norwegian Maren Ueland (28) were
killed and decapitated by ISIS terrorists on a trip to Morocco in 2018. They
were found near the Atlas mountains. The murders were filmed and put on the
internet. 18 men were since arrested by Moroccan police and charged with
terrorism.[1]

[1]:
[https://en.wikipedia.org/wiki/Murders_of_Louisa_Vesterager_J...](https://en.wikipedia.org/wiki/Murders_of_Louisa_Vesterager_Jespersen_and_Maren_Ueland)

~~~
kebman
Somehow factual information like that is always downvoted, but criminal and
terrorist activity is important information when considering where you want to
travel in the world, so you should take it very seriously.

Case in point, I travelled with my friends through Serbia during the early
2000's. Now, we'd spoken with our country's foreign ministry, and they told us
that it was relatively safe to travel in the North of the country. At the
time, we were adviced to avoid the South of Serbia because of small gang
clashes still being ongoing. We avoided Romania as well, since a lot of car
jackings had been reported at the time.

After driving for a very long time, we got tired, and parked at a forest road
in the darkness. It was pitch black, so we figured no one would come there.
But after a while, I heard a car stop down at the main road, and two guys
moving closer to our car on the gravel. This prompted me to reach for a small
screw driver I had laying around, just in case.

When they arrived at the car, they knocked on my window, and peering to the
darkness I noticed that they were actually police officers. They wanted to
know what we were doing there, so I explained to them that we were just trying
to get some sleep for the night.

Then they asked me, "Did you see the boarded-up gas station further up the
road?" I nodded, and he continued. "Yeah, well, last week a gang came by there
and shot the whole family dead, mother, father and two kids. That's why the
place is boarded up. Listen, guys, this place isn't safe. So please come with
us, and we'll show you a lit parking lot in the nearest town. You can sleep
safely there, under the lights."

Needless to say, we accepted their escort, although it was far more easy to
sleep in the darkness rather than under a street light.

Then there's the story of my boss who ignored advice to not go to Egypt during
some troubled times, and ended up in a firefight as the bus in front of him
was lit up by a hail bullets. He thought he was going to die, and he very well
could have if he'd gone with the front bus.

------
DarkWiiPlayer
Reminds me of the dungeon I built for web crawlers to have fun collecting
email addresses at [https://darkwiiplayer.com/bot-
dungeon](https://darkwiiplayer.com/bot-dungeon) xD

~~~
jk563
Does it only go to level 100?

~~~
nadavami
It seems to go to as many characters as you can fit in the URL. Each new
character after /bot-dungeon/ is a new level.

Pretty clever!

------
tptacek
I'm sure this was fun to put together and it seems like it's fun for people to
talk about, but you can put this along with fail2ban, port knocking, and
nonstandard SSH ports in the back of the attic and just (1) turn off password
authentication entirely and (2) put SSH behind WireGuard. Even if you don't do
step (2), step (1) eliminates the rationale for all the silly stuff people do
to obfuscate their SSH installs.

~~~
Drdrdrq
Could you elaborate on WireGuard part? Do you mean that users must first VPN,
and only then can SSH, or something else?

~~~
tptacek
Yes. This is how SSH access to prod works in most large companies: you have to
be behind the VPN to get it.

~~~
pvg
You know this but I'm just throwing it in for people who don't and aren't
working on large company things:

You can give yourself a WireGuard-powered, Single Sign-on, secure overlay
network between, say, your phone, your laptop, a DO droplet and an AWS
instance near-instantly and for (currently) free with tailscale.

By 'near-instantly' I mean it takes almost no effort to set up. It takes me
longer to get my dotfiles right on a new host.

~~~
tptacek
It is disgusting how good Tailscale is. I mean that I am literally welling up
with disgust thinking about it.

------
Lex-2008
discussion of a blog post about this tool:
[https://news.ycombinator.com/item?id=19465967](https://news.ycombinator.com/item?id=19465967)

------
Freaky
One I made in async Rust:
[https://github.com/Freaky/tarssh](https://github.com/Freaky/tarssh)

I currently have 22 clients stuck it in across three machines. When I started
out it was more like a thousand, so seems they've largely adapted.

------
nickcw
Great idea!

I'm not sure we should be writing new network connected daemons in C though.

~~~
klodolph
> I'm not sure we should be writing new network connected daemons in C though.

In general, yes. However, in this case--no, that's not helpful advice--because
this program doesn't actually receive input from clients! Kind of hard to
trigger exploitable behavior on a program that only sends _output._

~~~
codeulike
_Kind of hard to trigger exploitable behavior on a program that only sends
output._

It wouldn't suprise me to find there were still possible exploits

~~~
fb03
Explaining, since you were downvoted without a proper reason:

While _everything_ is possible, most exploits happen on buffer overflows on
user-received custom data. and since this is not allocating any buffer to
receive anything (besides internal connection structures that are filled by
the OS), the attack/exploit surface on this one is really tiny, if existent at
all.

------
geocrasher
I have to admit that I tried this and it was rather lackluster. Log output:

[https://pastebin.com/4FTHRF3f](https://pastebin.com/4FTHRF3f)

Not a lot of activity over the time I ran it, and I know that the port gets
hit more than that. I had a much better time when I ran a honeypot with Kippo:

[https://github.com/desaster/kippo](https://github.com/desaster/kippo)

It was much more useful as it gave me a great list of IP's to block from all
my systems ;)

~~~
mdaniel
The top of the readme for that repo advises to use the fork:
[https://github.com/cowrie/cowrie](https://github.com/cowrie/cowrie)

------
k33n
The tarpit approach is a double-edged sword. Sure, you're keeping some script
kiddie's machine locked up (maybe), but you're also keeping socket connections
open and wasting resources on the machine they are targeting. A much more
efficient approach is using fail2ban and a firewall to just drop traffic from
offenders.

~~~
mtlynch
Tarpits aren't really a defense mechanism. They're meant to waste attackers'
time and study their techniques, making attacks more expensive.

It's sort of like those YouTube channels where they waste phone scammers' time
in an entertaining way. [0] Obviously, the easiest thing for the callee to do
is hang up the phone, but their goal is to make phone scams less profitable.

[0]
[https://en.wikipedia.org/wiki/Jim_Browning_(YouTuber)](https://en.wikipedia.org/wiki/Jim_Browning_\(YouTuber\))

~~~
a1369209993
> where they waste phone scammers' time in an entertaining way.

This can also be automated, so the defender doesn't even need to waste their
own time on it. Eg:
[https://old.reddit.com/r/itslenny/](https://old.reddit.com/r/itslenny/) .

------
dclaw
Hah, I love endlessh.... been running it for a few years now on one of my
digital ocean droplets. Better to fuck with these bots. My personal record was
somewhere around 23 days having one stuck.

------
nirui
What got my inspired here is, if a simple delay strategy can make attack
harder, why not add this as a common feature in SSH?

It can be called "Initial Connection Delay": Once a new TCP connection is
established, wait for an uncertain number of n seconds before read and respond
to the handshake request.

------
password4321
One of the simplest ways to block unwanted connections is to filter on client
id. I haven't seen anyone willing to change it even though I've blocked
libssh, sshgo, and paprika.

Of course, this functionality is only available in non-standard SSH servers
such as the one from Bitvise.

------
verroq
This would have been fun to put onto production machines. We had a botnet that
was running ssh bruteforce with 10s requests per second with unique IPs. It
stopped after we disabled password auth.

~~~
creeble
Wait, I think I'm an idiot - does disabling password auth entirely prevent
openssh from generating a password prompt?

~~~
VWWHFSfQ
yes

~~~
creeble
Whoops, silly me / more coffee needed. All my servers have:

    
    
      PasswordAuthentication no
      ChallengeResponseAuthentication no
    

so sshd never generates a password prompt.

They all run on a non-standard port, and it's somewhat rare to see more than
one unique IP address connection attempt, but every few days you see a few
hundred in sequence from a script too dumb to notice.

------
clon
This is like a self-administered "slow lori attack" then - making it easier
for an attacker to keep connections up until things start getting tight on
port 443.

~~~
heavenlyblue
I can imagine this is so easily overcome by the attacker. Why would they even
need machines that take 10 seconds to return a single line over SSH?

~~~
ivanbakel
Tarpits trap dumb animals. An intelligent attacker won't fall for it, but they
aren't meant to.

------
earthboundkid
[https://github.com/carlmjohnson/heffalump](https://github.com/carlmjohnson/heffalump)

~~~
ryankrage77
This seems like it would use a lot of bandwidth?

~~~
earthboundkid
Oh, it’s a terrible idea. It’s basically a practical joke.

------
seqizz
I'd rather have a trusted common list of known abusers' IPs. But I think
that's harder to maintain.

~~~
mortehu
That's called a DNSBL, and there are many of them, mostly for email spam
though.

[https://www.dnsbl.info/](https://www.dnsbl.info/)

~~~
geocrasher
What I find infuriating is when an admin gets the bright idea to block all
connections from IP's that are in _mail_ dnsbl's. It's a great way to alienate
people from using your services. I can't remember which company was doing it,
but a customers API calls to a vendor failed because the vendor blocked the
IP, which was blacklisted somewhere.

Here's the kicker: The server wasn't even used to send mail and hadn't been
for a long time. So we had to apply for a delisting from a mail blacklist for
a server that didn't send mail so that a customer could use an API.

The admin thought they were being clever, but instead they were just being
_difficult_.

