{"id":308,"date":"2022-01-15T12:37:34","date_gmt":"2022-01-15T10:37:34","guid":{"rendered":"https:\/\/greenhouse.cv.ua\/?p=308"},"modified":"2022-01-15T12:37:34","modified_gmt":"2022-01-15T10:37:34","slug":"ssh-honeypot","status":"publish","type":"post","link":"https:\/\/greenhouse.cv.ua\/?p=308","title":{"rendered":"SSH Honeypot"},"content":{"rendered":"\n

Endlessh is an SSH tarpit that very<\/em> slowly sends an endless, random SSH banner<\/a>. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.<\/p>\n\n\n\n

Since the tarpit is in the banner before any cryptographic exchange occurs, this program doesn’t depend on any cryptographic libraries. It’s a simple, single-threaded, standalone C program. It uses poll()<\/code> to trap multiple clients at a time.<\/p>\n\n\n\n

<\/a>Usage<\/h2>\n\n\n\n

Usage information is printed with -h<\/code>.<\/p>\n\n\n\n

Usage: endlessh [-vhs] [-d MS] [-f CONFIG] [-l LEN] [-m LIMIT] [-p PORT]\n  -4        Bind to IPv4 only\n  -6        Bind to IPv6 only\n  -d INT    Message millisecond delay [10000]\n  -f        Set and load config file [\/etc\/endlessh\/config]\n  -h        Print this help message and exit\n  -l INT    Maximum banner line length (3-255) [32]\n  -m INT    Maximum number of clients [4096]\n  -p INT    Listening port [2222]\n  -s        Print diagnostics to syslog instead of standard output\n  -v        Print diagnostics (repeatable)\n<\/code><\/pre>\n\n\n\n
Argument order matters. The configuration file is loaded when the -f<\/code> argument is processed, so only the options that follow will override the configuration file.<\/p>\n\n\n\n
By default no log messages are produced. The first -v<\/code> enables basic logging and a second -v<\/code> enables debugging logging (noisy). All log messages are sent to standard output by default. -s<\/code> causes them to be sent to syslog.<\/p>\n\n\n\n
endlessh -v >endlessh.log 2>endlessh.err\n<\/code><\/pre>\n\n\n\n
A SIGTERM signal will gracefully shut down the daemon, allowing it to write a complete, consistent log.<\/p>\n\n\n\n
A SIGHUP signal requests a reload of the configuration file (-f<\/code>).<\/p>\n\n\n\n
A SIGUSR1 signal will print connections stats to the log.<\/p>\n\n\n\n
<\/a>Sample Configuration File<\/h2>\n\n\n\n
The configuration file has similar syntax to OpenSSH.<\/p>\n\n\n\n
# The port on which to listen for new SSH connections.\nPort 2222\n\n# The endless banner is sent one line at a time. This is the delay\n# in milliseconds between individual lines.\nDelay 10000\n\n# The length of each line is randomized. This controls the maximum\n# length of each line. Shorter lines may keep clients on for longer if\n# they give up after a certain number of bytes.\nMaxLineLength 32\n\n# Maximum number of connections to accept at a time. Connections beyond\n# this are not immediately rejected, but will wait in the queue.\nMaxClients 4096\n\n# Set the detail level for the log.\n#   0 = Quiet\n#   1 = Standard, useful log messages\n#   2 = Very noisy debugging information\nLogLevel 0\n\n# Set the family of the listening socket\n#   0 = Use IPv4 Mapped IPv6 (Both v4 and v6, default)\n#   4 = Use IPv4 only\n#   6 = Use IPv6 only\nBindFamily 0\n<\/code><\/pre>\n\n\n\n
<\/a>Build issues<\/h2>\n\n\n\n
Some more esoteric systems require extra configuration when building.<\/p>\n\n\n\n
<\/a>RHEL 6 \/ CentOS 6<\/h3>\n\n\n\n
This system uses a version of glibc older than 2.17 (December 2012), and clock_gettime(2)<\/code> is still in librt. For these systems you will need to link against librt:<\/p>\n\n\n\n
make LDLIBS=-lrt\n<\/code><\/pre>\n\n\n\n
<\/a>Solaris \/ illumos<\/h3>\n\n\n\n
These systems don’t include all the necessary functionality in libc and the linker requires some extra libraries:<\/p>\n\n\n\n
make CC=gcc LDLIBS='-lnsl -lrt -lsocket'\n<\/code><\/pre>\n\n\n\n
If you’re not using GCC or Clang, also override CFLAGS<\/code> and LDFLAGS<\/code> to remove GCC-specific options. For example, on Solaris:<\/p>\n\n\n\n
make CFLAGS=-fast LDFLAGS= LDLIBS='-lnsl -lrt -lsocket'\n<\/code><\/pre>\n\n\n\n
The feature test macros on these systems isn’t reliable, so you may also need to use -D__EXTENSIONS__<\/code> in CFLAGS<\/code>.<\/p>\n\n\n\n
<\/a>OpenBSD<\/h3>\n\n\n\n
The man page needs to go into a different path for OpenBSD’s man<\/code> command:<\/p>\n\n\n\n
diff --git a\/Makefile b\/Makefile\nindex 119347a..dedf69d 100644\n--- a\/Makefile\n+++ b\/Makefile\n@@ -14,8 +14,8 @@ endlessh: endlessh.c\n install: endlessh\n        install -d $(DESTDIR)$(PREFIX)\/bin\n        install -m 755 endlessh $(DESTDIR)$(PREFIX)\/bin\/\n-       install -d $(DESTDIR)$(PREFIX)\/share\/man\/man1\n-       install -m 644 endlessh.1 $(DESTDIR)$(PREFIX)\/share\/man\/man1\/\n+       install -d $(DESTDIR)$(PREFIX)\/man\/man1\n+       install -m 644 endlessh.1 $(DESTDIR)$(PREFIX)\/man\/man1\/\n\n clean:\n        rm -rf endlessh\n<\/code><\/pre>\n\n\n\n
\n