Jack Wallen shows you how to add an SSH tarpit to Ubuntu Server with the help of endlessh.
In your never-ending quest to secure your Linux servers, you've probably found a lot of times the breaches happen through SSH. No matter how secure it is, it can still be cracked. That's why you might need to consider setting up a tarpit for that service.
Essentially, a tarpit will run on the standard SSH port and, when a hacker attempts to break through that port, they'll wind up stuck in an endless loop. That's how endlessh works. Install it and configure it for port 22 and the script kiddies will wind up in a tarpit, unable to escape.
I'm going to show you how to do just that.
SEE: Security incident response policy (TechRepublic Premium)
What you'll need
I'll be demonstrating how this is done on Ubuntu Server 20.04, although endlessh can be installed on most Linux servers. You'll need an instance of that running and a user with sudo privileges.
How to install endlessh
Although you can install endlessh from the standard repositories, we don't want that version, as it doesn't include the necessary systemd service file. Instead, clone endlessh from the GitHub repository with the command:
git clone https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fskeeto%2Fendlessh&data=04%7C01%7Cklotze%40redventures.com%7C6fd9d3b9fe70421d53c108d905aeb1f7%7C4289d6102cfd46218c9644a1518ddb0a%7C0%7C0%7C637547070126020517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tyo6dI3mAFJXNo1zBGJXzcOpOVva%2FM5PuyS5wH5HvbY%3D&reserved=0
Before we go any further, you'll probably need to install the necessary tools to build endlessh with the command:
sudo apt-get install build-essential -y
Once this is installed, change into the newly-created directory with the command:
Compile endlessh with the command:
Install endlessh with the command:
sudo make install
After you run the make install command, you must copy the systemd service file with:
sudo cp util/endlessh.service /etc/systemd/system
How to configure endlessh
Out of the box, endlessh can only function on ports above 1024, but we want to use the tool with the default port. To do this, you must make a change in the systemd service file. Issue the command:
sudo nano /etc/systemd/system/endlessh.service
In that file, uncomment (remove the # characters) the following line:
We then need to comment out (add a # character to the beginning of the line) the following:
Save and close the file.
Next, run the command:
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
Next, open the endlessh configuration file with the command:
sudo nano /etc/endlessh/config
You'll want to change the port from 2222 to 22. If you find there's nothing in that file, paste the following:
# The port on which to listen for new SSH connections. Port 22 # The endless banner is sent one line at a time. This is the delay # in milliseconds between individual lines. Delay 10000 # The length of each line is randomized. This controls the maximum # length of each line. Shorter lines may keep clients on for longer if # they give up after a certain number of bytes. MaxLineLength 32 # Maximum number of connections to accept at a time. Connections beyond # these are not immediately rejected but will wait in the queue. MaxClients 4096 # Set the detail level for the log. # 0 = Quiet # 1 = Standard, useful log messages # 2 = Very noisy debugging information LogLevel 0 # Set the family of the listening socket # 0 = Use IPv4 Mapped IPv6 (Both v4 and v6, default) # 4 = Use IPv4 only # 6 = Use IPv6 only BindFamily 0
Save and close the file.
How to configure SSH
Now, we need to configure SSH to use a different port than 22. Open the daemon configuration file with the command:
sudo nano /etc/ssh/sshd_config
In that file, change:
Save and close the file.
We now have to reboot the server so the endlessh changes will take effect. After the server reboots, log back in and start/enable the endlessh service with the commands
sudo systemctl start endlessh sudo systemctl enable endlessh
How to test endlessh
Open a terminal on another machine and attempt to log in to the endlessh server with the command:
ssh USER@SERVER -v
Where USER is a valid user on the remote server and SERVER is the IP address of the server. You should see random lines, indicating you're stuck in the endlessh tarpit (Figure A). Hit the Ctrl+c key combination to get out of the loop.
Congratulations, you've set up your first tarpit on a Linux server. Just remember, when you go to log in to that server via SSH, you'll need to do so with:
ssh USER@SERVER -p 26
Where USER is a valid user on the remote server and SERVER is the IP address of the server.
Subscribe to TechRepublic's How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.
How to become a cybersecurity pro: A cheat sheet (TechRepublic)
Checklist: Securing digital information (TechRepublic Premium)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)