Look at any server log file for externally facing management services; you will find thousands of failed login attempts and scans. Bots attempt to brute-force a login to services like SSH and Remote Desktop(RDP) all day long. These management services should be behind a VPN firewall, especially RDP. On top of removing management services from being directly on the Internet, we can also put up fake services that look like the real ones. Why put up fake services? To slow down an attacker and give incorrect information about the environment.
To disrupt Bots we can deploy a defensive strategy called Tarpits. A Tarpit is a server or service that purposely delays incoming connections to slow scans and make them less attractive. The goal is to waste the Bots or an attacker’s time.
There is a good SSH Tarpit I found on GitHub. It is simple to install and use. Below is the process I recommend to have a full-time SSH tarpit deployed.
Recommended Deployment
- Spin up a new VM or container. 1x CPU, 512MB RAM, 8GB Disk.
- Install Debian latest(10)
- Set up the firewall to port forward WAN port 22 to the new VMs port 2222(SSH Tarpit)
Installation Script
apt update && apt dist-upgrade && apt install build-essential git
cd ~/
# Clone the Git repository
git clone https://github.com/skeeto/endlessh.git
cd endlessh/
make
mv ./endlessh /usr/local/bin/
# Add a user to run Endlessh as.
adduser --shell /bin/false --disabled-login --no-create-home --disabled-password --gecos "" tarpit
# Add etc folder
mkdir /etc/endlessh
# Make the config file
echo 'Port 2222
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 0
BindFamily 4' > /etc/endlessh/sshtarpit.config
# Add service config file
echo '# Contents of /etc/systemd/system/endlessh.service
[Unit]
Description=Endlessh
After=network.target
[Service]
Type=simple
Restart=always
User=tarpit
Group=tarpit
ExecStart=/usr/local/bin/endlessh -f /etc/endlessh/sshtarpit.config
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/endlessh.service
systemctl daemon-reload
systemctl enable endlessh.service
systemctl start endlessh.service After I stood up my SSH Tarpit it took less than a minute to start getting hits.
Tarpits are fun tools for Security Defenders. However, security through obscurity does not work. Tarpits alone cannot protect your network; it’s just a fun add-on to slow down dumb bots. In my view, any disruption to an adversary is a win.
Related posts:
Home Network Security TAP Review
Know Your Enemy
LetsDefend: Blue Team Training Review
LetsDefend’s DFIR Challenge: Ransomware Attack Walk-Through
You Can Help Defend the Internet!
Secure Windows Remote Management from 2FA Bypass
Linux Web Server Hardening: Preventing Apache Information Disclosure
LetsDefend’s DFIR Challenge: Infection with Cobalt Strike Walk-Through
How to Investigate Malicious DNS Requests
Creating Fun Cybersecurity Tabletop Exercises
Leave a Reply