SoylentNews is people
SoylentNews
Software engineer Chris Wellons writes about tar-pitting nefarious SSH probes. Anyone with a publicly-facing SSH server knows that it is probed from the moment it is turned on. Usually, the overwhelming majority of incoming connection attempts are malevolent in nature. There are several ways to deal with these attempts, one method is to drag out the response for as long as possible.
This program opens a socket and pretends to be an SSH server. However, it actually just ties up SSH clients with false promises indefinitely — or at least until the client eventually gives up. After cloning the repository, here’s how you can try it out for yourself (default port 2222):
[...] Your SSH client will hang there and wait for at least several days before finally giving up. Like a mammoth in the La Brea Tar Pits, it got itself stuck and can’t get itself out. As I write, my Internet-facing SSH tarpit currently has 27 clients trapped in it. A few of these have been connected for weeks. In one particular spike it had 1,378 clients trapped at once, lasting about 20 hours.
(Score: 2) by canopic jug on Monday March 25 2019, @02:36PM (1 child)
This for SSH, not SSL. As to runing both a normal SSH server and a tar pit on the same port, it might be possible to do some kind of multiplexing with sslh [github.com]. But I don't think so. Off the top of my head I'd have to say I'm not sure how it could work since both an attack and a legitimate log would be using the same start of the same protocol. Remember, this tar pit kicks in long before the encryption is even negotiated.
As mentioned by the AC, putting them on different ports definitely works.
Money is not free speech. Elections should not be auctions.
(Score: 2) by DannyB on Monday March 25 2019, @03:14PM
Sorry not enough caffeine when I wrote SSL when I meant SSH.
Yes it is possible to have SSL and SSH on the same port, see my reply a few up above.
The lower I set my standards the more accomplishments I have.