Endlessh: An SSH Tarpit(github.com) |
Endlessh: An SSH Tarpit(github.com) |
For individuals and smaller orgs I've sort of felt like keeping your head down, running a wg/ssh bastion with a non-standard port maybe along with single packet auth or even plain old port knocking to reduce log spam from random drive-by is more effective and attainable for places without any sort of dedicated security or even constant in-house IT staff. Running a tarpit on a VPS seems like it'd fail to bother most these days, and running it on an actual IP seems like at best it'd have no effect and at worst if it ever actually held up a scanner and the operator noticed they might decide to direct some actual attention to that IP, or at least throw a mild ddos at it for a bit. Am I wrong or out of date on that? I'm all for sticking it to bad actors and efforts to reduce the economic incentives, but in 2020 tarpits strike me as kind of obsolete with some risk to boot.
Running a tar pit is a bit like installing a trap on a bike in order to teach bike thieves a lesson. It won't really reduce the problem, but for a lot of people the idea of vengeance gives a bit of a warm happy feeling.
It's more like approaching a thief and persuading him to steal some bike "just around the corner", then guiding him around endlessly. While he's following you, he's also not stealing anything from anyone, his attention (which is naturally finite) gets drained - even just a little bit - to the benefit of the community as a whole. It's not necessarily about vengeance.
Maybe it is reducing the problem, but not enough people are installing traps to make a noticeable difference? Or the number of new thieves is cancelling out the number of thieves being put out of business by traps? Is there data for this?
Or maybe the traps just aren't sophisticated enough?
Sure, it's unlikely, but I don't see what I'd be gaining using fail2ban in the first place. I don't leave password authentication enabled, of course.
Log spam is a bit annoying, but at the end of the day, who cares? Even with the ongoing attempts, my authlog is like 300K uncompressed today and 60-120K per day gzipped. Whatever.
If I cared about that I would prefer to just block Chinese IP ranges outright.
Good. Isn't that the point? Also, I like your use of the word punishment as something negative in this context.
Some people decide to launch a DDOS attack or something like that in retaliation. It doesn't always happen, but there have been instances of an attacker being thwarted and then trying to punish the victim (who successfully defended themself) in some other way.
I currently have 22 clients stuck it in across three machines. When I started out it was more like a thousand, so seems they've largely adapted.
I'm not sure we should be writing new network connected daemons in C though.
In general, yes. However, in this case--no, that's not helpful advice--because this program doesn't actually receive input from clients! Kind of hard to trigger exploitable behavior on a program that only sends output.
It wouldn't suprise me to find there were still possible exploits
We're a long way from "Smashing the Stack", people are aware of mitigation and the care that needs to be taken, precautions have been made inside operating systems and compilers.
Not a lot of activity over the time I ran it, and I know that the port gets hit more than that. I had a much better time when I ran a honeypot with Kippo:
https://github.com/desaster/kippo
It was much more useful as it gave me a great list of IP's to block from all my systems ;)
It's sort of like those YouTube channels where they waste phone scammers' time in an entertaining way. [0] Obviously, the easiest thing for the callee to do is hang up the phone, but their goal is to make phone scams less profitable.
This can also be automated, so the defender doesn't even need to waste their own time on it. Eg: https://old.reddit.com/r/itslenny/ .
tarpit will likely hurt yourself as the system ties up sockets for a long time and you'll run out eventually. You'd have to combine the tarpit with something to limit the number of connections you accept.
IMO, setting up ssh on another port has been useful, especially combined with port knocking. And of course turning off password auth.
It can be called "Initial Connection Delay": Once a new TCP connection is established, wait for an uncertain number of n seconds before read and respond to the handshake request.
Of course, this functionality is only available in non-standard SSH servers such as the one from Bitvise.
Here's the kicker: The server wasn't even used to send mail and hadn't been for a long time. So we had to apply for a delisting from a mail blacklist for a server that didn't send mail so that a customer could use an API.
The admin thought they were being clever, but instead they were just being difficult.
What's the deepest level any bot has gotten?
Not really, no. If I ever rebuild my website, I will probably add some stats though :D
(sorry)
Pretty clever!
5420 levels seems to be the limit:
This one, right at the limit of 5420, works:
https://darkwiiplayer.com/bot-dungeon/M1Kt80XBcvk4ofn2m2IqRV...
(YMMV, some browsers might have their own url length limitations)
This one, at 5421 levels, breaks:
https://darkwiiplayer.com/bot-dungeon/M1Kt80XBcvk4ofn2m2IqRV...
if(IP==attackerIP) {
for 10000 times
write random byte
sleep 10 seconds
}If "we" (both the overall world community and subsections) were able significantly reduce the resources available to attackers for DDOS making vengeance/example setting more expensive that'd help. But it seems like it's going the other way if anything :(
While everything is possible, most exploits happen on buffer overflows on user-received custom data. and since this is not allocating any buffer to receive anything (besides internal connection structures that are filled by the OS), the attack/exploit surface on this one is really tiny, if existent at all.
PasswordAuthentication no
ChallengeResponseAuthentication no
so sshd never generates a password prompt.They all run on a non-standard port, and it's somewhat rare to see more than one unique IP address connection attempt, but every few days you see a few hundred in sequence from a script too dumb to notice.
You can give yourself a WireGuard-powered, Single Sign-on, secure overlay network between, say, your phone, your laptop, a DO droplet and an AWS instance near-instantly and for (currently) free with tailscale.
By 'near-instantly' I mean it takes almost no effort to set up. It takes me longer to get my dotfiles right on a new host.
Spamhaus usually stops a big chunk of them too.
NOTE: a few bits of info here, although someone mentioning ipchains means their comment is from an older time of course:
- use ipset for large sets of blocked IP addresses. That's what it's for, and it works well without slowdown, even on massive sets
- http://www.ipdeny.com/ipblocks/data/aggregated
This is a nice list of IP addresses broken down by region. Handy do download weekly, or monthly, and then dump into ipset.
- firehol is also a nice list to use, eg:
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/ma...
Please contact me at f7m4 {at} proxyto.me if you have any interest in beta-testing an app that does this exact thing.
something like: fail2ban-client set addignoreip x.x.x.x or fail2ban-client set addignoreregex hostname.com
First they went down the regular path up Damrak to get to Leidseplein, but slowly and imperceptibly the streets were getting narrower and narrower, until they finally reached a dead end. That's when the guy whirled around, flipped out a small pocket knife and wheezed to them, "Gimme all your cash! NOW!"
The guys looked at each other, and then looked at him, and then one of the guys calmly told him, "Look, we're two guys, and you're just one. Even if you get one of us, the other will beat your head in. You can't win this."
The mugger looked puzzled for a moment, but then he retorted, "Ok, give me half your money then, and nobody gets hurt!" Not wanting to be the first guy who got stabbed, they agreed that, "Fine, we'll give you half! But only if you promise to not stab us." And so the deal went down, and they had finally arrived in Amsterdam.
If you need help, ask, don't wait to be asked.
I've never gone with anyone anywhere but very public spaces. But I actually have found some real gems tucked away off the beaten path this way.
There was a slightly dark time in the middle though, where my friend and I were sure we were going to be mugged and left for dead when we were driving further and further from the city. I've never experienced anything quite like it before or since. We both looked at each other, and in an instant with a single expression we were both able to convey that "I love you and we're going to die". We were totally relieved when it turned out they just wanted to show a scenic view by the sea, while showing us a lot of very rich mansions along the way.
Was totally surreal, though, and I'm not sure how lucky we were.
Wouldn't end that way with me and my friends.
Why not make it “identity.ed25519.private.sshkey” and default to “20200916{,T224400Z}.ed25519.{private,public}.sshkey”?
Test then Ban.
[1]: https://en.wikipedia.org/wiki/Murders_of_Louisa_Vesterager_J...
Case in point, I travelled with my friends through Serbia during the early 2000's. Now, we'd spoken with our country's foreign ministry, and they told us that it was relatively safe to travel in the North of the country. At the time, we were adviced to avoid the South of Serbia because of small gang clashes still being ongoing. We avoided Romania as well, since a lot of car jackings had been reported at the time.
After driving for a very long time, we got tired, and parked at a forest road in the darkness. It was pitch black, so we figured no one would come there. But after a while, I heard a car stop down at the main road, and two guys moving closer to our car on the gravel. This prompted me to reach for a small screw driver I had laying around, just in case.
When they arrived at the car, they knocked on my window, and peering to the darkness I noticed that they were actually police officers. They wanted to know what we were doing there, so I explained to them that we were just trying to get some sleep for the night.
Then they asked me, "Did you see the boarded-up gas station further up the road?" I nodded, and he continued. "Yeah, well, last week a gang came by there and shot the whole family dead, mother, father and two kids. That's why the place is boarded up. Listen, guys, this place isn't safe. So please come with us, and we'll show you a lit parking lot in the nearest town. You can sleep safely there, under the lights."
Needless to say, we accepted their escort, although it was far more easy to sleep in the darkness rather than under a street light.
Then there's the story of my boss who ignored advice to not go to Egypt during some troubled times, and ended up in a firefight as the bus in front of him was lit up by a hail bullets. He thought he was going to die, and he very well could have if he'd gone with the front bus.
I initially interpreted that sentence differently than how you probably intended it.
:q!dammitwtf
I like nano, and I'm not ashamed to admit it.
example: visudo -cf /etc/sudoers visudoe -cf /etc/sudoers.d/extra