Look at any server log file for externally facing management services; you will find thousands of failed login attempts and scans. Bots attempt to brute-force a login to services like SSH and Remote Desktop(RDP) all day long. These management services should be behind a VPN firewall, especially RDP. On top of removing management services from being directly on the Internet, we can also put up fake services that look like the real ones. Why put up fake services? To slow down an attacker and give incorrect information about the environment.
To disrupt Bots we can deploy a defensive strategy called Tarpits. A Tarpit is a server or service that purposely delays incoming connections to slow scans and make them less attractive. The goal is to waste the Bots or an attacker’s time.
There is a good SSH Tarpit I found on GitHub. It is simple to install and use. Below is the process I recommend to have a full-time SSH tarpit deployed.
- Spin up a new VM or container. 1x CPU, 512MB RAM, 8GB Disk.
- Install Debian latest(10)
- Set up the firewall to port forward WAN port 22 to the new VMs port 2222(SSH Tarpit)
apt update && apt dist-upgrade && apt install build-essential git cd ~/ # Clone the Git repository git clone https://github.com/skeeto/endlessh.git cd endlessh/ make mv ./endlessh /usr/local/bin/ # Add a user to run Endlessh as. adduser --shell /bin/false --disabled-login --no-create-home --disabled-password --gecos "" tarpit # Add etc folder mkdir /etc/endlessh # Make the config file echo 'Port 2222 Delay 10000 MaxLineLength 32 MaxClients 4096 LogLevel 0 BindFamily 4' > /etc/endlessh/sshtarpit.config # Add service config file echo '# Contents of /etc/systemd/system/endlessh.service [Unit] Description=Endlessh After=network.target [Service] Type=simple Restart=always User=tarpit Group=tarpit ExecStart=/usr/local/bin/endlessh -f /etc/endlessh/sshtarpit.config [Install] WantedBy=multi-user.target' > /etc/systemd/system/endlessh.service systemctl daemon-reload systemctl enable endlessh.service systemctl start endlessh.service
After I stood up my SSH Tarpit it took less than a minute to start getting hits.
Tarpits are fun tools for Security Defenders. However, security through obscurity does not work. Tarpits alone cannot protect your network; it’s just a fun add-on to slow down dumb bots. In my view, any disruption to an adversary is a win.
Leave a Reply