Trap (tarpit) for incoming SSH connections
It is no secret that the Internet is a very hostile environment. As soon as you raise the server, it instantly undergoes massive attacks and multiple scans. Using the example of hanipot from bezopasnik, we can estimate the scale of this garbage traffic. In fact, on an average server, 99% of the traffic can be malicious.
Tarpit is a trap port that is used to slow down incoming connections. If a third-party system connects to this port, then quickly close the connection does not work. She will have to spend her system resources and wait until the connection is interrupted by timeout, or manually break it.
Tarpits are most often used for protection. The technique was first developed to protect against computer worms. And now it can be used to ruin the lives of spammers and researchers who are engaged in extensive scanning of all IP addresses in a row (examples in Habré: Austria , Ukraine ).
One of the sysadmins named Chris Wellons apparently tired of watching this outrage - and he wrote a small program Endlessh , tarpit for SSH, slowing down incoming connections. The program opens the port (the default port 2222 is specified for testing) and pretends to be an SSH server, and in fact establishes an infinite connection with the incoming client until it gives up. This may last for several days or more until the client falls off.
')
Utility installation:
Properly implemented tarpit takes away from the attacker more resources than you. But it's not about resources. The author writes that the program is addictive. Right now there are 27 clients in his trap, some of them have been connected for weeks. At the peak of activity, 1378 customers were trapped for 20 hours!
In working mode, the Endlessh server needs to be installed on the regular port 22, where the hooligans are knocking en masse. Standard security recommendations always advise to move SSH to another port, which immediately reduces the size of the logs by an order of magnitude.
Chris Wellons says that his program exploits one paragraph from the RFC 4253 specification for the SSH protocol. Immediately after establishing a TCP connection, but before using cryptography, both parties must send an identification string. And there is a postscript: “The server MAY send other data lines before sending the version string” . And there is no limit to the amount of this data, just every line cannot be started with
This is exactly what the Endlessh program does: it sends an endless stream of randomly generated data that complies with RFC 4253, that is, sent before authentication, and each line does not start with
By default, the program waits 10 seconds between sending packets. This prevents the shutdown by timeout, so the client will be trapped forever.
Since sending data is carried out before cryptography is used, the program is extremely simple. It does not need to implement any cipher and support for multiple protocols.
The author tried to make the utility consume a minimum of resources and work completely unnoticed on the machine. Unlike modern antiviruses and other "security systems", it should not slow down the computer. He managed to minimize both traffic and memory consumption due to a little more cunning software implementation. If he simply launched a separate process on a new connection, then potential attackers could launch a DDoS attack, opening many connections to deplete resources on the machine. One thread per connection is also not the best option, because the kernel will spend resources on managing threads.
Therefore, Chris Wellons chose the most lightweight option for Endlessh: a single-threaded
The author says that at the time of his program he did not know about the existence of Python-based asycio and other tarpits. If he knew about asycio, he could have implemented his utility in just 18 lines of Python:
Asyncio is perfect for writing Tarpitians. For example, such a trap will hang Firefox, Chrome or another client trying to connect to your HTTP server for many hours:
Tarpit is a great tool for punishing Internet hooligans. True, there is some risk, on the contrary, to draw their attention to the unusual behavior of a particular server. Someone might think about revenge and a targeted DDoS attack on your IP. However, so far there have been no such cases, and tarpits work fine.
Tarpit is a trap port that is used to slow down incoming connections. If a third-party system connects to this port, then quickly close the connection does not work. She will have to spend her system resources and wait until the connection is interrupted by timeout, or manually break it.
Tarpits are most often used for protection. The technique was first developed to protect against computer worms. And now it can be used to ruin the lives of spammers and researchers who are engaged in extensive scanning of all IP addresses in a row (examples in Habré: Austria , Ukraine ).
One of the sysadmins named Chris Wellons apparently tired of watching this outrage - and he wrote a small program Endlessh , tarpit for SSH, slowing down incoming connections. The program opens the port (the default port 2222 is specified for testing) and pretends to be an SSH server, and in fact establishes an infinite connection with the incoming client until it gives up. This may last for several days or more until the client falls off.
')
Utility installation:
$ make $ ./endlessh & $ ssh -p2222 localhost Properly implemented tarpit takes away from the attacker more resources than you. But it's not about resources. The author writes that the program is addictive. Right now there are 27 clients in his trap, some of them have been connected for weeks. At the peak of activity, 1378 customers were trapped for 20 hours!
In working mode, the Endlessh server needs to be installed on the regular port 22, where the hooligans are knocking en masse. Standard security recommendations always advise to move SSH to another port, which immediately reduces the size of the logs by an order of magnitude.
Chris Wellons says that his program exploits one paragraph from the RFC 4253 specification for the SSH protocol. Immediately after establishing a TCP connection, but before using cryptography, both parties must send an identification string. And there is a postscript: “The server MAY send other data lines before sending the version string” . And there is no limit to the amount of this data, just every line cannot be started with
SSH- .This is exactly what the Endlessh program does: it sends an endless stream of randomly generated data that complies with RFC 4253, that is, sent before authentication, and each line does not start with
SSH- and does not exceed 255 characters, including the line ending character. In general, everything is standard.By default, the program waits 10 seconds between sending packets. This prevents the shutdown by timeout, so the client will be trapped forever.
Since sending data is carried out before cryptography is used, the program is extremely simple. It does not need to implement any cipher and support for multiple protocols.
The author tried to make the utility consume a minimum of resources and work completely unnoticed on the machine. Unlike modern antiviruses and other "security systems", it should not slow down the computer. He managed to minimize both traffic and memory consumption due to a little more cunning software implementation. If he simply launched a separate process on a new connection, then potential attackers could launch a DDoS attack, opening many connections to deplete resources on the machine. One thread per connection is also not the best option, because the kernel will spend resources on managing threads.
Therefore, Chris Wellons chose the most lightweight option for Endlessh: a single-threaded
poll(2) server, where clients in the trap consume almost no extra resources, not counting the socket object in the kernel, and another 78 bytes to track in Endlessh. In order not to allocate receive and send buffers for each client, Endlessh opens a direct access socket and directly transmits TCP packets, ignoring almost the entire TCP / IP stack of the operating system. The incoming buffer is not needed at all, because the incoming data does not interest us.The author says that at the time of his program he did not know about the existence of Python-based asycio and other tarpits. If he knew about asycio, he could have implemented his utility in just 18 lines of Python:
import asyncio import random async def handler(_reader, writer): try: while True: await asyncio.sleep(10) writer.write(b'%x\r\n' % random.randint(0, 2**32)) await writer.drain() except ConnectionResetError: pass async def main(): server = await asyncio.start_server(handler, '0.0.0.0', 2222) async with server: await server.serve_forever() asyncio.run(main()) Asyncio is perfect for writing Tarpitians. For example, such a trap will hang Firefox, Chrome or another client trying to connect to your HTTP server for many hours:
import asyncio import random async def handler(_reader, writer): writer.write(b'HTTP/1.1 200 OK\r\n') try: while True: await asyncio.sleep(5) header = random.randint(0, 2**32) value = random.randint(0, 2**32) writer.write(b'X-%x: %x\r\n' % (header, value)) await writer.drain() except ConnectionResetError: pass async def main(): server = await asyncio.start_server(handler, '0.0.0.0', 8080) async with server: await server.serve_forever() asyncio.run(main()) Tarpit is a great tool for punishing Internet hooligans. True, there is some risk, on the contrary, to draw their attention to the unusual behavior of a particular server. Someone might think about revenge and a targeted DDoS attack on your IP. However, so far there have been no such cases, and tarpits work fine.
Source: https://habr.com/ru/post/445318/
All Articles