Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by chromas on Monday March 25 2019, @10:24AM   Printer-friendly
from the "'Mawnin'!'-sez-Brer-Rabbit" dept.

Software engineer Chris Wellons writes about tar-pitting nefarious SSH probes. Anyone with a publicly-facing SSH server knows that it is probed from the moment it is turned on. Usually, the overwhelming majority of incoming connection attempts are malevolent in nature. There are several ways to deal with these attempts, one method is to drag out the response for as long as possible.

This program opens a socket and pretends to be an SSH server. However, it actually just ties up SSH clients with false promises indefinitely — or at least until the client eventually gives up. After cloning the repository, here’s how you can try it out for yourself (default port 2222):

[...] Your SSH client will hang there and wait for at least several days before finally giving up. Like a mammoth in the La Brea Tar Pits, it got itself stuck and can’t get itself out. As I write, my Internet-facing SSH tarpit currently has 27 clients trapped in it. A few of these have been connected for weeks. In one particular spike it had 1,378 clients trapped at once, lasting about 20 hours.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday March 25 2019, @01:14PM (9 children)

    by Anonymous Coward on Monday March 25 2019, @01:14PM (#819482)

    I see minimal probes if I move my ash port to something other than 22, and instead of wasting a connection for a week, why not just add the remote to the firewall after a few minutes?

  • (Score: 2, Insightful) by Anonymous Coward on Monday March 25 2019, @01:30PM

    by Anonymous Coward on Monday March 25 2019, @01:30PM (#819488)

    Resources that the bot has to waste on your machine, can't be used to probe other machines on the net. The tarpit sends data to the bot that it needs to check before it can do attempts to login... this data never validates... so it will never login, but the connection stays alive.

  • (Score: 2) by NateMich on Monday March 25 2019, @05:56PM (7 children)

    by NateMich (6662) on Monday March 25 2019, @05:56PM (#819647)

    something other than 22

    Make sure you use something that isn't also a bunch of 2's. I've seen so many customers servers getting slammed on 222, 2222, and 22222 that it isn't funny. There is almost zero advantage to a port based on 22.
    Pick something truly random.

    • (Score: 5, Funny) by maxwell demon on Monday March 25 2019, @07:24PM (5 children)

      by maxwell demon (1608) on Monday March 25 2019, @07:24PM (#819696) Journal

      I'd just use the port number written backwards. :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Tuesday March 26 2019, @03:43AM (4 children)

        by Anonymous Coward on Tuesday March 26 2019, @03:43AM (#819905)

        you use port 104?

        commander data

        • (Score: 2) by maxwell demon on Tuesday March 26 2019, @05:30AM (3 children)

          by maxwell demon (1608) on Tuesday March 26 2019, @05:30AM (#819960) Journal

          Off by 2.

          --
          The Tao of math: The numbers you can count are not the real numbers.
          • (Score: 2) by maxwell demon on Tuesday March 26 2019, @05:31AM (2 children)

            by maxwell demon (1608) on Tuesday March 26 2019, @05:31AM (#819962) Journal

            Err … I shouldn't try to calculate while listening to the news …

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 2) by maxwell demon on Tuesday March 26 2019, @05:34AM (1 child)

              by maxwell demon (1608) on Tuesday March 26 2019, @05:34AM (#819963) Journal

              I forgot to give the correct correction: Off by 5. And yes, this time I'm sure.

              --
              The Tao of math: The numbers you can count are not the real numbers.
              • (Score: 2) by maxwell demon on Tuesday March 26 2019, @05:35AM

                by maxwell demon (1608) on Tuesday March 26 2019, @05:35AM (#819964) Journal

                Err … no, off by 7 -- off by 5 from my previous wrong result!

                --
                The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by driverless on Tuesday March 26 2019, @10:42AM

      by driverless (4770) on Tuesday March 26 2019, @10:42AM (#820033)

      I moved my SSH to port 80, and I found I was getting thousands of probing attacks a day there.