This isn&#x27;t a real ssh server, so the &quot;cost&quot; to you of the attack isn&#x27;t really relevant. You can choose not to run this software at all, and the additional cost to you is zero.

I think it still works. You have two scenarios where the attacker is efficiently using goroutines; (1) you also use goroutines or (2) you do not. In the latter, the attack is more expensive for you.Another detail is that an attacker with many idle connections to your host might not instantiate any new ones.Of course, in the scenarios where the attacker is not using goroutines then you have the upper hand as well.

Though for a large amount of HTTP bots, the authors don&#x27;t even bother changing the default Python User-Agent. I&#x27;d assume a large proportion of these bots still can&#x27;t run concurrently.

Golang works well for this application because it can easily cope with very large numbers of idle goroutines.What the author may be missing is that golang also works well for bots and scanners, for exactly the same reason. Attackers&#x27; time isn&#x27;t being &quot;wasted&quot; by this, their goroutines are just sitting idle for longer.

Oh nice, do you have a blog post detailing it step by step?

I do something similar except send them bytes from &#x2F;dev&#x2F;random, providing free protocol fuzzing.

I run endlessh on the port 2222 and I configured fail2ban to redirect the source ip addresses who did X failed attempts from the dest port 22 to the dest port 2222 transparently.
I use the table NAT and prerouting to achieve that, you can use ipset to match the source ip addresses.

if you use port knocking, the first hit on your honeypot, can be the trigger to lockdown or redirect, a lot of other ports to somewhere away from your actual.

Isn&#x27;t the point of a honeypot that it&#x27;s not a real server? What guarantees are there that there won&#x27;t be an exploit that allows escaping the honeypot into the real data? Personally, I do not believe anything is 100% secure. So inviting the vampire into your facade home, and then getting upset when the vampire sees the charade and walks into your real home is just one of those &quot;well of course that happened&quot; situations.

Yes, check this distro <a href="https:&#x2F;&#x2F;hub.docker.com&#x2F;r&#x2F;linuxserver&#x2F;endlessh" rel="nofollow">https:&#x2F;&#x2F;hub.docker.com&#x2F;r&#x2F;linuxserver&#x2F;endlessh</a>

That&#x27;s the theory. I have an internet facing box using ssh on a weird port with fail2ban on it just in case.In over 10 years I&#x27;ve never had a single probe on that port with ssh.

But they don&#x27;t scan every port. I&#x27;ve been running my SSH server on a non-standard port for a long time, it took four years until I had the first bot with login attempts. About a year ago I changed the port and haven&#x27;t seen any bots since then.

The more targeted&#x2F;sophisticated ones will, but there&#x27;s a crapload of bots that just scan all publicly addressable IPs for port 22 and attempt to connect. If your goal is to trap as many bots as possible in the tarpit, you&#x27;ll get a lot more if you run on port 22.

I don&#x27;t think it matters, ssh bots will try any port that sends back the ssh banner.

The original endlessh hints at this, but doesn&#x27;t go further into details, and the endlessh-go&#x27;s README doesn&#x27;t mention it at all. Am I suppose to have endlessh run on port 22 and then have my real SSH server run on an obscure port? In none of the examples does it run on port 22. I feel like I&#x27;m missing something obvious, that the READMEs simply take for granted I know.

I don&#x27;t know if this is still the case, but -m string used to be resource intensive, because it has to parse each packet for the string before passing it on to other rules.

Why use PREROUTING chain? You could have achieved same with INPUT chain without specification of ingress interface and server IP address.

This, and a handful of simple firewall rules in the raw table can block about 90%+ of that remaining 1% just looking at the spoofable banner that none of the bots seem to spoof I assume due to being lazy like me.In the raw table:<pre><code> -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [my server ip] -m string --string &quot;SSH-2.0-libssh&quot; --algo bm --from 10 --to 60 -j DROP
 -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [my server ip] -m string --string &quot;SSH-2.0-Go&quot; --algo bm --from 10 --to 60 -j DROP
 -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [my server ip] -m string --string &quot;SSH-2.0-JSCH&quot; --algo bm --from 10 --to 60 -j DROP
 -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [my server ip] -m string --string &quot;SSH-2.0-Gany&quot; --algo bm --from 10 --to 60 -j DROP
 -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [my server ip] -m string --string &quot;ZGrab&quot; --algo bm --from 10 --to 60 -j DROP
 -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [my server ip] -m string --string &quot;MGLNDD&quot; --algo bm --from 10 --to 60 -j DROP
 -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [my server ip] -m string --string &quot;amiko&quot; --algo bm --from 10 --to 60 -j DROP
</code></pre>
Adding the server IP minimizes risks of also blocking outbound connections as raw is statelessI rarely do this any more given they rotate through so many LTE IP&#x27;s. Instead I get the bot operators to block me by leaving SSH on port 22 and then giving them a really long VersionAdendum that seems to get the bots feeling broken, sticky and confused. There are far fewer SSH bot operators than it appears. They will still show up in the logs but that can be filtered out using drop patterns in rsyslog.<pre><code> VersionAddendum &quot; just put in a really long sentence in sshd_config that is at least 320 characters or more&quot;
</code></pre>
Try it out on a test box that you have console access to just in case your client is old enough to choke on it. Optionally use offensive words for the bots that log things to public websites. Only do this on your hobby nodes, not corporate owned nodes unless legal is cool with it, in writing.

Following the SSH hardening guide stops 99% of bots and scanners because they can&#x27;t negotiate a cipher using whatever ancient ones their SSH implementation is set up to use.

Endlessh periodically sends data so the read timeout won&#x27;t trigger. Specifically, it draws out the crypto negotiation stage indefinitely by exploiting a feature of the SSH protocol.(Of course, the bot author could detect that behaviour too.)There&#x27;s more info from the author of Endlessh: <a href="https:&#x2F;&#x2F;nullprogram.com&#x2F;blog&#x2F;2019&#x2F;03&#x2F;22&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nullprogram.com&#x2F;blog&#x2F;2019&#x2F;03&#x2F;22&#x2F;</a>

What is a good example of assymetrical cost in your favour?

You&#x27;re understanding perfectly. The way this works is that it sends a slow drip of junk before the SSH version banner string. A scanner running at any real scale is going to have an overall timeout beyond which it doesn&#x27;t bother waiting any longer for the banner string.This is going to very slightly irritate some of the extremely low-level actors. Is setting up a tool to do that a good use of time?If you want to effectively deter attackers using a sand-trap approach, you need to find some kind of task with asymmetric cost in your favour. This isn&#x27;t that.

&gt; if your bot net consists of stolen CPU cycles what difference does it make if your bots are slowed down. It doesn&#x27;t cost you money.This is wrong. It does cost you money - either directly, because you paid money to use someone else&#x27;s botnet, or as an opportunity cost, in that you can&#x27;t use your bots on as many targets.

Yes a bot can, and sophisticated bots do.At the same time it&#x27;s much easier to write code that just died the bare minimum. Imagine you&#x27;re a bot herder, if your bot net consists of stolen CPU cycles what difference does it make if your bots are slowed down. It doesn&#x27;t cost you money.

But the bots can easily detect these, cant they? As long as there is a timeout on socket read, this shouldn&#x27;t waste that much of the scanners time.Or am I misunderstanding this?

&gt; My thought was to harvest their IPs and publish them in blocklists.Please do, it would mean good karma.

Funny but my first thought wasn&#x27;t wasting their time at all, that&#x27;s easily fixed with a few code adjustments on their client end. My thought was to harvest their IPs and publish them in blocklists.

I think you could employ the same tactics that advanced fuzzers do with these tarpits: then mutate the responses randomly, to try get &quot;new&quot; responses from the attackers, instead of new coverage in the code as in the fuzzer. Unless they are using static scripts, which would be boring.I have understood that most attacks are super-simple sort of, so probably not much to learn there. But an interesting project!

For other usecases there is an ipfilter target TARPIT, that does a similar thing on the TCP level.

But why? Just hide your ssh port. And port knock in. Or put it @ tor&#x2F;wg&#x2F;whatever.

Depends on how well programed the bot is I guess. Personaly I use the encrypted packet port knocking package fwknop on my home server to hide the ssh port until I need it.

Scanning all 65k ports takes time. Those aren&#x27;t targeted attacks, just bots connecting to every 22 ports they can find

You can setup a VPN (or head&#x2F;tailscale) and confine your &quot;real&quot; sshd there, and leave one of these tarpits in the open for fun and profit.

The point of this isn&#x27;t to hide your actual SSH service, but to tie up resources for those who are somewhat blindly scanning&#x2F;connecting to any open SSH port.

Does it matter, though? You can easily scan out the correct SSH port.

I&#x27;ve stopped lying to myself, I&#x27;m making cool stuff just for the sake of it. It&#x27;s like playing a video game, it doesn&#x27;t have to be productive if I enjoy it.

The thing about coders is that they&#x27;re often creators at heart.The stated reason is likely only the excuse they told themselves to justify the project. But the real reason was likely that they wanted to create something, and this was a good justification.Might just be me projecting though, because I do that all the time

People build in languages they are comfortable with. Golang is fairly easy to ship with and the performance is fine for something like this. Seems like a good tool for the job

&gt; &quot; I didn&#x27;t like the logging, so I re-implemented the entire thing.&quot;And did that in the &quot;language of the week&quot; :)The stuff that was reinvented in eg. ruby a few years ago is now reinvented in go and rust.

&gt; It&#x27;s interesting the things we do to get around the little things we don&#x27;t like.Yeah and perhaps pick up valuable skills, that might help us down the road in ways that are hard to quantify.

&gt; Unfortunately the wonderful original C implementation of endlessh only provides text based log, but I do not like the solution that writes extra scripts to parse the log outputs, then exports the results to a dashboard, because it would introduce extra layers in my current setup and it would depend on the format of the text log file rather than some structured data. Thus I create this golang implementation of endlessh to export Prometheus metrics and a Grafana dashboard to visualize them.&quot; I didn&#x27;t like the logging, so I re-implemented the entire thing.&quot;I&#x27;m not mocking, I just see this often (and have done it myself!). It&#x27;s interesting the things we do to get around the little things we don&#x27;t like.

Endlessh-go: a Golang SSH tarpit that traps bots/scanners