Stories
Slash Boxes
Comments

SoylentNews is people

Endlessh: an SSH Tarpit

posted by chromas on Monday March 25 2019, @10:24AM   Printer-friendly
from the "'Mawnin'!'-sez-Brer-Rabbit" dept.

canopic jug writes:

Software engineer Chris Wellons writes about tar-pitting nefarious SSH probes. Anyone with a publicly-facing SSH server knows that it is probed from the moment it is turned on. Usually, the overwhelming majority of incoming connection attempts are malevolent in nature. There are several ways to deal with these attempts, one method is to drag out the response for as long as possible.

This program opens a socket and pretends to be an SSH server. However, it actually just ties up SSH clients with false promises indefinitely — or at least until the client eventually gives up. After cloning the repository, here’s how you can try it out for yourself (default port 2222):

[...] Your SSH client will hang there and wait for at least several days before finally giving up. Like a mammoth in the La Brea Tar Pits, it got itself stuck and can’t get itself out. As I write, my Internet-facing SSH tarpit currently has 27 clients trapped in it. A few of these have been connected for weeks. In one particular spike it had 1,378 clients trapped at once, lasting about 20 hours.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Endlessh: an SSH Tarpit | Log In/Create an Account | Top | 50 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by dwilson on Monday March 25 2019, @08:38PM (1 child)

    by dwilson (2599) Subscriber Badge on Monday March 25 2019, @08:38PM (#819724) Journal

    Rather than waste my resources responding to obviously malicious communications, I just block them. The way I do this is looked-down-upon for reasons I can't fathom.

    Probably because port-knocking looks and sounds needlessly complicated, given that the usual goal isn't to prevent unauthorized login attempts, but to prevent unauthorized logins.

    Myself, I lock it down by only allowing pubkey authentication and only certain users to connect, a few other changes, and then stop worrying about it. Logfiles haven't shown a break-in yet.

    stribika's ssh guide [github.io] is my usual go-to when setting up a new sshd instance.

    --
    - D
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Interesting) by ledow on Monday April 01 2019, @10:16AM

    by ledow (5567) on Monday April 01 2019, @10:16AM (#823010) Homepage

    That's all fine... I have pub-key-only too. That's where your actual security is.

    But if you open port 22, you get thousands of automated attempts against it, and testing of your SSHd for vulnerabilities constantly.

    It only takes one remote hole, weak key, etc. to bring that down. And I'd rather my logs weren't filled with spammed access attempts except serious ones.

    Learning to ignore / not check your security logs is a very bad habit to get into.