How to set up an SSH tarpit in Ubuntu Server 20.04


Jack Wallen shows you how to add an SSH tarpit to Ubuntu Server with the help of endlessh.

Image: iStock/http://www.fotogestoeber.de

In your never-ending quest to secure your Linux servers, you’ve probably found a lot of times the breaches happen through SSH. No matter how secure it is, it can still be cracked. That’s why you might need to consider setting up a tarpit for that service.

Essentially, a tarpit will run on the standard SSH port and, when a hacker attempts to break through that port, they’ll wind up stuck in an endless loop. That’s how endlessh works. Install it and configure it for port 22 and the script kiddies will wind up in a tarpit, unable to escape.

I’m going to show you how to do just that.

SEE: Security incident response policy (TechRepublic Premium)

What you’ll need

I’ll be demonstrating how this is done on Ubuntu Server 20.04, although endlessh can be installed on most Linux servers. You’ll need an instance of that running and a user with sudo privileges.

How to install endlessh

Although you can install endlessh from the standard repositories, we don’t want that version, as it doesn’t include the necessary systemd service file. Instead, clone endlessh from the GitHub repository with the command:

git clone ttps://github.com/skeeto/endlessh

Before we go any further, you’ll probably need to install the necessary tools to build endlessh with the command:

sudo apt-get install build-essential -y

Once this is installed, change into the newly-created directory with the command:

cd endlessh

Compile endlessh with the command:

make

Install endlessh with the command:

sudo make install

How to configure endlessh

Out of the box, endlessh can only function on ports above 1024, but we want to use the tool with the default port. To do this, you must make a change in the systemd service file. Issue the command:

sudo nano /etc/systemd/system/endlessh.service

In that file, uncomment (remove the # characters) the following line:

#AmbientCapabilities=CAP_NET_BIND_SERVICE

We then need to comment out (add a # character to the beginning of the line) the following:

PrivateUsers=true

Save and close the file. 

Next, run the command:

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh

Next, open the endlessh configuration file with the command:

sudo nano /etc/endlessh/config

You’ll want to change the port from 2222 to 22. If you find there’s nothing in that file, paste the following:

# The port on which to listen for new SSH connections.
Port 22

# The endless banner is sent one line at a time. This is the delay
# in milliseconds between individual lines.
Delay 10000

# The length of each line is randomized. This controls the maximum
# length of each line. Shorter lines may keep clients on for longer if
# they give up after a certain number of bytes.
MaxLineLength 32

# Maximum number of connections to accept at a time. Connections beyond
# these are not immediately rejected but will wait in the queue.
MaxClients 4096

# Set the detail level for the log.
# 0 = Quiet
# 1 = Standard, useful log messages
# 2 = Very noisy debugging information
LogLevel 0

# Set the family of the listening socket
# 0 = Use IPv4 Mapped IPv6 (Both v4 and v6, default)
# 4 = Use IPv4 only
# 6 = Use IPv6 only
BindFamily 0

Save and close the file.

How to configure SSH

Now, we need to configure SSH to use a different port than 22. Open the daemon configuration file with the command:

sudo nano /etc/ssh/sshd_config

In that file, change:

Port 22

To:

Port 26

Save and close the file.

We now have to reboot the server so the endlessh changes will take effect. After the server reboots, log back in and start/enable the endlessh service with the commands

sudo systemctl start endlessh
sudo systemctl enable endlessh

How to test endlessh

Open a terminal on another machine and attempt to log in to the endlessh server with the command:

ssh USER@SERVER -v

Where USER is a valid user on the remote server and SERVER is the IP address of the server. You should see random lines, indicating you’re stuck in the endlessh tarpit (Figure A). Hit the Ctrl+c key combination to get out of the loop.

Figure A

endlessha.jpg

Random lines mean endlessh is doing its job.

Congratulations, you’ve set up your first tarpit on a Linux server. Just remember, when you go to log in to that server via SSH, you’ll need to do so with:

ssh USER@SERVER -p 26

Where USER is a valid user on the remote server and SERVER is the IP address of the server. 

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see



Source link