Endlessh: an SSH tarpit - Honeypot & Honeytrap Hackers in your Ubuntu server


"Endlessh is an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server. "

Trolling the hackers! If this does not excite you, I do not know what will! This article would walk through the installation process. So, SSH prompts does not have a constraint on the length of the SSH Banner or the timeout. I think you catch the drift. This clueless intruders who are just trying their luck with automated scripts and trying to brute force in your server, are up to no good any way. There are other troll free ways, but this wastes their time. đŸ˜‰

This article might help if you are having some trouble or are running into errors using Ubuntu.

Check your current SSH Port

$ netstat -tulnp | grep ssh

SSH in to your server with the default port from another computer to your SSH Server

# uses port 22 by default

$ ssh user@server_or_ip_addres

Change SSH Port from 22 (default) to say 99 (or whatever)

$ sudo nano /etc/ssh/sshd_config

Open the file above and change a line towards the top of the file from # Port 22 to Port 99. Now save and close the file. (Ctrl + X, Y)

Restart SSH Service

$ sudo systemctl restart ssh

Verify SSH Port number change

$ netstat -plunt | grep 99

Update firewall rules (if enabled)

$ sudo ufw allow 99/tcp

$ sudo ufw reload

Download required packages in Ubuntu (net-tools is optional) & install endlessh

$ sudo apt-get install -y net-tools make libc6-dev

$ git clone https://github.com/skeeto/endlessh ~/code/endlessh

$ cd ~/code/endlessh

$ sudo make install

$ sudo cp util/endlessh.service /etc/systemd/system

Configure endlessh

$ sudo nano /etc/systemd/system/endlessh.service

Uncomment the AmbientCapabilities line.

Comment out the PrivateUsers line

$ setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh

endlessh live demo showing how endlessh prints a "banner" of meaningless error messages at painfully slow rate wasting intruder's time and trapping them from crawling elsewhere

endlessh live demo showing how endlessh prints a "banner" of meaningless error messages at painfully slow rate wasting intruder's time and trapping them from crawling elsewhere

Set up endlessh service

$ sudo nano /etc/systemd/system/endlessh.service

Uncomment the AmbientCapabilities line.

Comment out the PrivateUsers line

$ sudo systemctl daemon-reload && sudo systemctl restart endlessh.service

sudo echo 'Port 22' > /etc/endlessh/config

Verify endlessh service is running

$ sudo systemctl status endlessh.service

Testing: SSH in to your server with explicit port number

$ ssh user@server_or_ip_addres -p 99