Endlessh: An SSH Tarpit
Endlessh is an SSH tarpit that very slowly sends an never-ending, random
SSH banner. It keeps SSH purchasers locked up for hours and even days
at a time. The scheme is to attach your proper SSH server on some other port
after which let the script kiddies rating caught on this tarpit as a substitute of
bothering a proper server.
Since the tarpit is in the banner earlier than any cryptographic alternate
occurs, this program would no longer depend upon any cryptographic libraries. It’s
a easy, single-threaded, standalone C program. It uses
trap a pair of purchasers at a time.
Utilization data is printed with
Utilization: endlessh [-vhs] [-d MS] [-f CONFIG] [-l LEN] [-m LIMIT] [-p PORT] -4 Bind to IPv4 handiest -6 Bind to IPv6 handiest -d INT Message millisecond delay  -f Area and cargo config file [/etc/endlessh/config] -h Print this abet message and exit -l INT Most banner line dimension (3-255)  -m INT Most type of purchasers  -p INT Listening port  -s Print diagnostics to syslog as a substitute of identical old output -v Print diagnostics (repeatable)
Argument uncover matters. The configuration file is loaded when the
argument is processed, so handiest the decisions that be conscious will override the
By default no log messages are produced. The first
-v permits unusual
logging and a second
-v permits debugging logging (noisy). All log
messages are sent to identical old output by default.
-s causes them to be
sent to syslog.
endlessh -v >endlessh.log 2>endlessh.err
A SIGTERM signal will gracefully shut down the daemon, allowing it to
write an whole, constant log.
A SIGHUP signal requests a reload of the configuration file (
A SIGUSR1 signal will print connections stats to the log.
Pattern Configuration File
The configuration file has similar syntax to OpenSSH.
# The port on which to hear for recent SSH connections. Port 2222 # The never-ending banner is allotted one line at a time. Right here is the delay # in milliseconds between particular person lines. Lengthen 10000 # The scale of every and each line is randomized. This controls basically the most # dimension of every and each line. Shorter lines could presumably per chance motivate purchasers on for longer if # they provide up after a determined type of bytes. MaxLineLength 32 # Most type of connections to settle for at a time. Connections beyond # this will no longer be straight away rejected, but will wait in the queue. MaxClients 4096 # Area the part stage for the log. # 0 = Silent # 1 = Traditional, necessary log messages # 2 = Very noisy debugging data LogLevel 0 # Area the household of the listening socket # 0 = Spend IPv4 Mapped IPv6 (Both v4 and v6, default) # 4 = Spend IPv4 handiest # 6 = Spend IPv6 handiest BindFamily 0
Carry out complications
Some more esoteric programs require additional configuration when building.
RHEL 6 / CentOS 6
This formulation uses a model of glibc older than 2.17 (December 2012), and
clock_gettime(2) is tranquil in librt. For these programs chances are high you’ll presumably per chance want to
link against librt:
carry out LDLIBS=-lrt
Solaris / illumos
These programs rep no longer encompass the total necessary functionality in libc and
the linker requires some additional libraries:
carry out CC=gcc LDLIBS='-lnsl -lrt -lsocket'
If you will no longer be the exercise of GCC or Clang, also override
to grab away GCC-instruct ideas. As an instance, on Solaris:
carry out CFLAGS=-quick LDFLAGS= LDLIBS='-lnsl -lrt -lsocket'
The feature check macros on these programs is rarely always kindly, so chances are high you’ll presumably per chance additionally
want to make exercise of