Look at any server log file for externally facing management services; you will find thousands of failed login attempts and scans. Bots attempt to brute-force a login to services like SSH and Remote Desktop(RDP) all day long. These management services should be behind a VPN firewall, especially RDP. On top of removing management services from being directly on the Internet, we can also put up fake services that look like the real ones. Why put up fake services? To slow down an attacker and give incorrect information about the environment.

     To disrupt Bots we can deploy a defensive strategy called Tarpits. A Tarpit is a server or service that purposely delays incoming connections to slow scans and make them less attractive. The goal is to waste the Bots or an attacker’s time.

There is a good SSH Tarpit I found on GitHub. It is simple to install and use. Below is the process I recommend to have a full-time SSH tarpit deployed.

Recommended Deployment

  • Spin up a new VM or container. 1x CPU, 512MB RAM, 8GB Disk.
  • Install Debian latest(10)
  • Set up the firewall to port forward WAN port 22 to the new VMs port 2222(SSH Tarpit)

Installation Script

 apt update && apt dist-upgrade && apt install build-essential git 
cd ~/ 
# Clone the Git repository  
git clone https://github.com/skeeto/endlessh.git 
cd endlessh/ 
make 
mv ./endlessh /usr/local/bin/ 
# Add a user to run Endlessh as. 
adduser --shell /bin/false --disabled-login --no-create-home --disabled-password --gecos "" tarpit 
# Add etc folder 
mkdir /etc/endlessh 
# Make the config file 
echo 'Port 2222 
Delay 10000 
MaxLineLength 32 
MaxClients 4096 
LogLevel 0 
BindFamily 4' > /etc/endlessh/sshtarpit.config 
# Add service config file 
echo '# Contents of /etc/systemd/system/endlessh.service 
[Unit] 
Description=Endlessh 
After=network.target 
[Service] 
Type=simple 
Restart=always 
User=tarpit 
Group=tarpit 
ExecStart=/usr/local/bin/endlessh -f /etc/endlessh/sshtarpit.config 
[Install] 
WantedBy=multi-user.target' > /etc/systemd/system/endlessh.service 
systemctl daemon-reload 
systemctl enable endlessh.service 
systemctl start endlessh.service 

After I stood up my SSH Tarpit it took less than a minute to start getting hits.

Tarpits are fun tools for Security Defenders. However, security through obscurity does not work. Tarpits alone cannot protect your network; it’s just a fun add-on to slow down dumb bots. In my view, any disruption to an adversary is a win.