Endlessh is an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.
endlessh 会开启一个 socket 然后伪装成一个 SSH 服务端(蜜罐),对连接的会话无止境地发送 SSH 应答,从而耗费攻击者的宝贵时间
详细的实现方式可查看参考链接,下文将展示如何在 Debian 10 下配置 endlessh
环境
- Debain 10
参考
- Endlessh: an SSH Tarpit
- skeeto / endlessh · GitHub
- SSH Honeypot in 4 Minutes – Trap Hackers in Your Server
步骤
- 获取 endlessh
- 执行指令
git clone https://github.com/skeeto/endlessh
- 执行指令
- 编译 endlessh
- 执行指令
cd endlessh make
- endlessh 可执行文件在根目录
- 执行指令
- 配置 endlessh
- 将 endlessh 放入 PATH
mv ./endlessh /usr/local/bin/
- 复制配置文件到系统服务目录
cp util/endlessh.service /etc/systemd/system/
- 执行指令(以下两个步骤将允许 endlessh 绑定到 1024 以内的端口)
setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
- 编辑配置文件
vim /etc/systemd/system/endlessh.service # 进行如下更改: # 取消注释此行: AmbientCapabilities=CAP_NET_BIND_SERVICE # 注释掉此行: # PrivateUsers=true
- 将 endlessh 放入 PATH
- 编辑 endlessh 配置文件
- endlessh 默认会读取 /etc/endlessh/ 下的 config 配置文件
mkdir /etc/endlessh vim /etc/endlessh/config
- 添加以下内容
Port [你的端口] # 设置应答的间隔(毫秒) # Delay 10000 # 设置应答文字随机的长度 # MaxLineLength 32 # 设置最大 SSH 客户端数量 # MaxClients 4096 # 日志级别 # LogLevel 0 # 绑定端口类别(v4 or v6),默认全部绑定 # BindFamily 0
- endlessh 默认会读取 /etc/endlessh/ 下的 config 配置文件
- 开启服务并设置开机自启
systemctl start endlessh.service systemctl status endlessh.service
