1. sshguard Avatar sshguard
  2. sshguard
  3. sshguard
  4. Issues

Please support endlessh

Issue #158 new
Jerry Quinn created an issue

I just discovered a great tool called endlessh, which creates a tarpit for ssh attackers. I’ve reconfigured to put my real sshd on a different port and have attackers hit the default port. This reduces the sshd spam in my log nicely. endlessh logs attempts which could be captured and blocked.

Here is a sample. The connect attempts sit there for 20 seconds before they time out. Chances are that no real mistaken connection attempt will sit blocked for more than a few seconds, especially often like this.

Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.056Z ACCEPT host=::ffff:125.212.235.215 port=60870 fd=4 n=1/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.311Z ACCEPT host=::ffff:125.212.235.215 port=43490 fd=5 n=2/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.317Z ACCEPT host=::ffff:125.212.235.215 port=43588 fd=6 n=3/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.332Z ACCEPT host=::ffff:125.212.235.215 port=43598 fd=7 n=4/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.335Z ACCEPT host=::ffff:125.212.235.215 port=43566 fd=8 n=5/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.335Z ACCEPT host=::ffff:125.212.235.215 port=43508 fd=9 n=6/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.345Z ACCEPT host=::ffff:125.212.235.215 port=43546 fd=10 n=7/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.350Z ACCEPT host=::ffff:125.212.235.215 port=43560 fd=11 n=8/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.374Z ACCEPT host=::ffff:125.212.235.215 port=43450 fd=12 n=9/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.378Z ACCEPT host=::ffff:125.212.235.215 port=43504 fd=13 n=10/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.378Z ACCEPT host=::ffff:125.212.235.215 port=43534 fd=14 n=11/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.380Z ACCEPT host=::ffff:125.212.235.215 port=43526 fd=15 n=12/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.385Z ACCEPT host=::ffff:125.212.235.215 port=43578 fd=16 n=13/4096
Jan 02 19:37:33 cerberus endlessh[179289]: 2023-01-03T00:37:33.385Z ACCEPT host=::ffff:125.212.235.215 port=43552 fd=17 n=14/4096
Jan 02 19:37:34 cerberus endlessh[179289]: 2023-01-03T00:37:34.354Z ACCEPT host=::ffff:125.212.235.215 port=43572 fd=18 n=15/4096
Jan 02 19:37:36 cerberus endlessh[179289]: 2023-01-03T00:37:36.339Z ACCEPT host=::ffff:125.212.235.215 port=43556 fd=19 n=16/4096
Jan 02 19:37:36 cerberus endlessh[179289]: 2023-01-03T00:37:36.384Z ACCEPT host=::ffff:125.212.235.215 port=43590 fd=20 n=17/4096
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.064Z CLOSE host=::ffff:125.212.235.215 port=60870 fd=4 time=20.008 bytes=14
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.313Z CLOSE host=::ffff:125.212.235.215 port=43490 fd=5 time=20.002 bytes=23
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.317Z CLOSE host=::ffff:125.212.235.215 port=43588 fd=6 time=20.000 bytes=4
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.332Z CLOSE host=::ffff:125.212.235.215 port=43598 fd=7 time=20.000 bytes=8
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.335Z CLOSE host=::ffff:125.212.235.215 port=43566 fd=8 time=20.000 bytes=26
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.335Z CLOSE host=::ffff:125.212.235.215 port=43508 fd=9 time=20.000 bytes=27
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.345Z CLOSE host=::ffff:125.212.235.215 port=43546 fd=10 time=20.000 bytes=12
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.350Z CLOSE host=::ffff:125.212.235.215 port=43560 fd=11 time=20.000 bytes=28
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.375Z CLOSE host=::ffff:125.212.235.215 port=43450 fd=12 time=20.001 bytes=11
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.379Z CLOSE host=::ffff:125.212.235.215 port=43504 fd=13 time=20.001 bytes=7
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.379Z CLOSE host=::ffff:125.212.235.215 port=43534 fd=14 time=20.001 bytes=30
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.380Z CLOSE host=::ffff:125.212.235.215 port=43526 fd=15 time=20.000 bytes=16
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.385Z CLOSE host=::ffff:125.212.235.215 port=43578 fd=16 time=20.000 bytes=32
Jan 02 19:37:53 cerberus endlessh[179289]: 2023-01-03T00:37:53.385Z CLOSE host=::ffff:125.212.235.215 port=43552 fd=17 time=20.000 bytes=5
Jan 02 19:37:54 cerberus endlessh[179289]: 2023-01-03T00:37:54.356Z CLOSE host=::ffff:125.212.235.215 port=43572 fd=18 time=20.002 bytes=22
Jan 02 19:37:56 cerberus endlessh[179289]: 2023-01-03T00:37:56.343Z CLOSE host=::ffff:125.212.235.215 port=43556 fd=19 time=20.004 bytes=15
Jan 02 19:37:56 cerberus endlessh[179289]: 2023-01-03T00:37:56.385Z CLOSE host=::ffff:125.212.235.215 port=43590 fd=20 time=20.001 bytes=21

Comments (0)

  1. Log in to comment
Assignee
Type
enhancement
Priority
minor
Status
new
Component
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!