Please note that Endlessh is NOT meant to replace conventional SSH security methods. You should still set up public-key only authentication and 2FA, as well as tools like iptables, fail2ban and CrowdSec It's also not meant to protect you from nmap port scans or advanced attacks. Endlessh is a fun way to mess with automated SSH scanners, but that's it.
Hi maybe a dumb question but I find your video very interesting. All of it makes sense to me but isn't it possible to use a tool from kali linux I think that can scan for certain ports on a server?
@@philipweiss2794 Yes, a malicious hacker may port scan your IP and find the other SSH server if they decided to scan all the ports. One possible way to mitigate this is to set your actual ssh server on an uncommon port, implement fail2ban and ssh key authentication. Like wolfgang mentioned though, it's highly unlikely the hacker will bother scanning the other ports and will just move on to another target searching for ssh servers on port 22.
@@Gameplayer55055 if you are referring to port scanning, a hacker may use a tool called nmap to figure out what services are running on your server/computer. In the video, Wolfgang shows a tool used for ssh bruteforcing called Hydra.
@@Prophet761 no, i want to know procedures after getting control of your server What do hacker usually do, when he gets control of your server? Because windows worms basically steal your passwords, and install spyware
Love this! There's a simple docker package as well in the docker hub, so quick to deploy! Thanks for bringing this project to me! Such a simple and powerful tarpit!!!
I've been setting up a game server, and I am TOTALLY DOING THIS. Thank you so much for making this video! It never occurred to me to have a 'false front' ssh login, and making it a time sink is a brilliant approach.
I need to know: how often do we have to open the server up to let the trapped hackers out? Did we need to increase fan speed, to make sure they don't suffocate? If the server is not water cooled, do we need to provide water (and FOOD) for them? And, lastly, what about sanitation?
On a 64 bit, no more than 64 hackers, otherwise they will cause a buffer overflow and they will have full control of your cpu, fridge, TV, microwave and lights, also you have to be very careful as they might be female hackers and to me that just screams trojan horse. Me personally i wouldn't even try to trap one in my PC as they can become very angry and aggressive,
@@gayusschwulius8490 No, because with key authentication the key never leaves your computer, whereas the password does leave your computer so a malicious actor can pretty easily grab your password if they've compromised the system and if it's reused anywhere else or whatever they now know it, whereas with pubkey auth the key never leaves the PC so physically can't be stolen
@@VoidCraftedGamingHD If you have a really strong password it's probably not reused anywhere because you couldn't remember it so you need a password manager. Also if they compromised your SSH server or your own system there is no difference between password and key because in case 1 they don't need it anyway and in case 2 they can get whatever they want.
moving your SSHD to another port is a good practice, however a simple nmap on your IP will reveal it. Real hacker's script usually does a kind of nmap to list possible vulnerabilities. Good video
I used the old honeypot for my ftp server The real one was on another port on tls But i just ran one on port 21 to throw off the scanners. Then also allowing anonymous in a sandbox with specifically tailored ratios and all server messages all being the same so the warez bots wouldnt get wise on it and just fuck up their time trying My reasons for doing that were absolutely trolly Although that word wasn't used for it back in 2004 orso lol
@@computer_toucher Valve just used a similar honeypot method to ban thousands of cheaters in Dota 2. Simple, cheap, and effective, and has nothing to do with passwords. An ounce of prevention is worth a pound of cure, and mitigation techniques in cybersecurity is just part of the prevention process.
eh its basically just security by obscurity to stop automated botnet random ssh attacks, you definitely should set up a fail2ban as well or ideally just only allow certain devices to ssh onto your server would be the safest. like the dude said its only a timewaster that you would likely throw into a raspberry pi and enable on all the typical ports someone would use to waste a botnets time and resources from actually doing some damage to someone without security setup like you or I would
Agree on most points but it's not security by obscurity. We camouflage our military vehicles, but they still have armor underneath that camouflage. In this case your armor is public key auth, fail2ban and 2FA on your real SSH server.
no, the least efficient way is just changing the port of SSH and hopping the hacker won't sniff it :p at least now, you have something pretenting to be SSH server and acting like one, and nothing prevent you to put some rules and fail2ban on your real SSH on top of that :p
@@brostenen it would still cause problems for the router, be like a 10 minute delay when opening the connection page (just joking) port scan auto ip block and fail2ban is the way as it just ignores that ip then witch does not use much resources
@@leexgx did you check out what that endless SSH thingi does? you can have 20k connections and prolly use less then 1% of your ressources to keep them busy ... and fail2ban would need more ressources to handle 20k attackers, way more ...
@@Uaellaen fail2ban will ip block after 5 attempts in say in 60 seconds and 2 month ip ban (what ever you have set it to, most will get ip banned in first 1-2 seconds due to high rate of attempts in short time) so any connections once ip banned, it will be ignored so no way it can get to 20k connections because the firewall is flat out ignoring the ip's
As an addon I would recommend putting your real ssh port on a really high port number. Most hackers use default port scanning of the most common port and dont even scan port 5000+, so yeah :) free tip! :D
So, it's a tarpit. Brill. Also, just FYI, there's an official debian package in buster-backports. I have my real ssh on a very odd port AND hidden by fwknop, just for a bit of extra; key-only auth of course. But I am actually thinking about installing this...
hmm dont think thats really necessary.. btw if u got multiple hosts i highly recommend setting up a ssh bastion. This way you only have to open 1 ssh port ;)
It's not like hackers do everything in series. They can be running parallel attacks, so it's a moot point that they might be slowed down by even a 15 second timeout. Also, hackers adapt. If they detect what they think is a honeypot, they can always do some port scanning for alternate open SSH ports. Basically, if port 22 timesout, run port scanner and continue on the new port.
@@Exitof99 that's what i thought too, just do an nmap scan before, who would be so stupid to just assume that there's an ssh server at that ip address and, just go for it....... it would be so dumb
Thanks My SFTP server has been getting a lot of unwanted attention. I moved the port to a high port number, and protected the connection with Fail2ban. Still lots of unwanted attention. Fail2ban worked but I was getting attacked by hackers who were changing their IP address after every attempt, Fail2ban was banning hundreds of IP addressed an hour. I tried your sticky honey trap created about 50 sticky ports with the real SFTP and SSH ports amongst them. So far no problems are being recorded in the logs - so thanks
I have a local server that's not previously exposed to the internet, but I installed this and forwarded port 22 on my router to this service just to trap some bots. Feels like I'm doing a tiny little something to keep the most basic bots busy at least. Great video! I subscribed!
*in theory* provided there are enough servers running Endlessh, someone could do a "SSH amplification DDoS attack" as the script provides an amplification ratio greater than 1, similar concept to NTP amplification DDoS attacks...
back on early 00's i was part of a community that ran on a telnet/mud chat server. we were never too much of elitist jerks but people got banned every now and then. and at some point someone who got banned got pissed off and spread address of it all around the internet, then we got flooded with people trying brute force attacks, come in to troll or never said an word for days doing god knows what. at some point the owner had enough and did this thing where all those people would be funneled to a fake chatroom where few days of chat log would replay in a loop plus it would randomly grab a username from them and make up random messages like "hi ", "i agree", "ok", "should we change subjects?" and so. it was painfully effective, people would only realize something was wrong after they saw chat repeating since we only had something like 2 days of logs. eventually random people got caught into it and everyone felt really bad for making some poor random talk to a walk for days and turned the whole thing off
@@xtra9996 i think the video is talking about automated scripts hunting the internet to find vulnerable ssh servers. but yeah if they have a particular target in mind they'd definitely start with nmap, and not just on the nmap default ports
@@xtra9996 err sure. The point of the honeypot is that the attacker has already found your SSH server and now is trying to use it to access your system.
Potentially, but I imagine that it be like a door on a wall kind of deal as there is no connection to the real server, yes the person might be able to break through the wall but it doesn't lead to anywhere
@@Sergeeeek That's why you don't run it as root. You run it on a non-privileged port, its default is 2222, as a normal user. I've done this and then done a NAT port redirect from port 22 to 2222 for clients that are not permitted access.
@Irish Catholic Resistance the tarpit never starts the exchange. this program speaks zero ssh (or any) protocol. it is simply a reverse slowloris spewing gibberish to keep the channel alive. any client that times out after failure to receive SSH2_MSG_KEXINIT will bail. a lot of clients will happily wait forever for it. that's why this works.
I deployed this on my server the other day (I already had SSH on a different port than default and set up public key login only) and I’ve already had countless bots attempt to SSH in. Some got stuck for over 20 minutes. There’s been bots from Russia, China, Peru, the UK, South Korea, all over the damn place. Pretty cool knowing that not only am I doing my part to waste these assholes’ time, but I’m also better protecting my server. I’m willing to bet that with a number of these bots, after they get trapped in the tarpit they probably blacklist your server’s IP so they don’t waste their time again.
Wow a 5 minute video with 5 minutes of solid information. Not a 11 minute video with 2 minutes of eh information. You just earned yourself a sub and a spot on my whitelist, something very very few CZcamsrs get from me.
The only flaw I can see is when the hackers sees the login attempts slow down to a crawl, they're going to know they're stuck in Endlessh and just exit out. Stick them into port 22, keep the speed at normal, but also make sure that even if they happen to get the right password, it fails and they keep on going. Like you say, they could waste months even though they hit the correct password ten hours after starting.
If you're doing anything automated with ssh you really don't want to let the client timeout by itself, it'll take forever (or, in this case, never do so). Adding something like this *_-o ConnectTimeout=3_* to your client arguments should usually be enough, but in some cases (e.g. remote automated tunnels over very unreliable connections) it could still hang for a long time. So, just to use the above and a wrapper that kill ssh if it hangs to much. Or write your own client. I don't think many will fall in such a tarpit. Not even many script kiddies as the scripts they downloaded, without understanding, will likely take care of such a scenario for them.
back in the early 90`s I had a remote login attempt, traced the ip, it was a school with a known address and ip, called them, spoke to the principal, they were baffeled and did not know what I was talking about. "There are some kids in your computer room trying to login into other servers". Funny stuff back then.
@@unverifiedapk if your on cable, DOCSIS tech it's normally semi static but basically is static as long as your router is not been disconnected for more then 8 days (I won't say the other way you can change it as its fun permanently banning cable connections) vdsl and adsl every reconnect is a new ip, unless you pay for a static (unsure but I would assume FTTP is same as vdsl/adsl unless you pay for static) This is how it is generally works world wide
It would be nice if you could set this up in a way where you could keep ssh on the default port, but only lock up their ssh session if they enter a password from the common default password list. So if you enter an incorrect password like soi3$%as1s, the authentication would just fail, but if you tried something in a predefined list like "hunter2" or "123456", it would lock up the session with the banner. Not sure if something like that would be possible.
A lot of attackers don't just try the default port, they scan your ip and will see the other port as well. However, having a banner some pages long on your regular login address would still slow a brute force/dict attack to a crawl and not be worth doing.
I’m so glad I found your channel. I’m just on the back log of watching every video you have, haha. You’re very knowledgeable and I love the humour in your videos. I know this is an older video but I was wondering what is your profession in day to day life? Thanks again for the quality content.
@@WolfgangsChannel thank you for the response. I kind of gathered because of how 2nd nature it is to you! I’m trying to learn bits and bobs. Thanks again for the awesome content. Have a good day sir!
hey! i am kinda beginner in cybersecurity staff but here information that i know nmap scan scans top 1000 common ports so if port 69 is not in top 1000 then I believe there wouldn't be a problem UNLESS if a hacker is not script kidde(aka a professional hacker) and he *really* wants to hack your server, he can simply run "nmap -p- YOUR_SERVER_IP" which will probably expose endlessh and real SSH but nobody wants to use the -p- flag(scan all port) because nobody wants to waste their time hacking your horse tinder dating app note -p- is *minus p minus* but yt convert it into strikethrough
You could, but this is to prevent mass scanning. Scanning thousands of ports on every device on the internet is way more resource intensive than the average skid can pull off
I just moved my SSH server to a different port, have done so for a very long time, I'd rather people not know my computer is there at all. I have also recently set up wireguard VPN server and SSH in over that for some extra obscurity. But just moving ports is good enough, not seen anyone try to login but myself.
yep that's waht I do with all my servers that are publicly visible, and also for the most part on the lan too, it's just not a good idea to use the "standard" if you can avoid it. Though one thing I've been looking at is changing the response of a nmap scan or what ever. I found a post from 2007 that had some code that would make your server advertise any port as any random service, so that it would essentially make your one IP look like a whole host of servers. this means that if you get the answer "port 69 is ssh" it could actually be a website, making anybody nosy enough have to investigate further, and trying to connect with the wrong protocol would make you waste a lot of time. But in his final note he added "due to the legality of such a project I'm not sure I can continue publishing this" and I haven't found anything that does exactly that. It really sounds like a great idea, but I have no idea how you could do that.
Well... If they dont see a "server" at the usual port, then they know that something funky is going down. Better lure them with some psychology trick. 😉
If one was sepecifically targeting you they would scan for open ports first and notice that there are two ssh services running. In that case it wouldn't be of much help. But to be honest, that is highly unlikely. Most of the time it will be a random attack and against that I really love this method.
1. If you are the only ones using SSH, lock it down to only IPs that you expect or ranges of IPs local to yours. 2. If you are running a shared host, this would never work. Customers would try the default port even if you instructed them which port is actually SSH.
You scan for open Ports. So even If your SSH ist running on a different Port IT wont be hard to find IT. I would personally Just diactivate IT If you are running your Server at Home
You overestimate ssh spraying attacks. They don't care about servers with a better login then admin admin. Or another ssh Port. If they do they are attacking you specifically and you should worry avout that. But if you really wanna make sure only you get into your server over the internet use a certificate for authentication.
Sounds similar to what we would put into a .plan or .project file back in the day on our Unix-like systems, when 9600 baud was “high speed”, so that when some user tried to use the finger command with your account, they would get this very lengthy animated plaintext message. Had to keep the stuff in a single line, and it used special characters, and the university banned such use of .plan and .project as a result of user complaints.
I wonder how many bruteforce attackers it would take to generate any kind of measurable load on that machine if it only respods with 1 line every several seconds :D Very cool stuff - thanks for sharing!
The number of attackers doesn't matter. The one line every second will limit it to zero even on a raspberry Pi. Only problem with that hard delay, you might end up having a hard time getting on you own machine.
Well this is relevant to me xD (wasnt using the normal port of cause but still got spammed with these) i just stop port forwarding ssh and just using OpenVPN to my house then ssh in.
That's very cool, however if they find out that the sshd server is running on another port like 69 in your case using a port scan, they'd be able to attack it directly once again. So you need firewalling / blaclisting / fail2ban / VPN as additional measures. + of course public key auth instead of plain text passwords.
You know what would be better? if someone would write a virtual SSH program that would allow the hackers to log in and do anything they want in an environment that isn't actually attached to your computer. so they can sit there and run all the commands they want and navigate a fake file system and look through your fake files.. that would waste a lot more of their time if you ask me
thanks for your video. It would be helpful if you could compose a video that shows us all the places (directories ,files) a hacker goes to install his programs or make changes. Using linux and/or terminal on mac. thanks again
That would highly depend on the hacker, there are too many options. If you’re concerned with whether your system has been hacked, you can try running rkhunter to see whether it detects any known rootkits
Я не могу понять, он русскоговорящий или нет, английский смешанный, где то хорош акцент, а где то как будто русский. Похож на английский восточной Европы какой нибудь или американских пригородов
There's a reason this is one of the only channels covering this stuff. Never ever ever trust a library that a pre selected CZcamsr is providing you. Google has their influencers provide insecure scripts all the time as another way to monitor you
Bluehat: Forcing skiddies to stare at text banners to halt them in their tracks Goldhat: Forcing skiddies to stare at BANNER ADS to pay you while they do it.
FYI - if anyone is running into issues with make command (CentOs) and getting "make: cc: Command not found" error, just do a sudo yum install gcc. That will make sure you have the compiler in place.
@@gayusschwulius8490 If someone is building from a fresh install, say on Digital Ocean and haven't had a need to compile anything, they may run into this. While I agree with you that gcc is a staple, I wanted to make sure that base is covered for them - just in case.
Imagine getting a low power low spec raspberry pi and just having it act as honeypot while you have all your other servers/devices just sit there being able to do their normal work undisturbed
I normally set mine up to ban an IP if it fails to type the correct password in. Basically an instaban. I use pubkeys, so if anyone connects to my SSH without the key, they get instabanned :) The server I had set up at the time was literally just a Minecraft server. No one needs SSH on a Minecraft server except me so if you're even just trying to SSH for no reason, you get auto ban hammered with no chance of unbanning since to me, you're a risk :) If I ever open a new server though, I'm definitely doing this!
I love this program! endlessh.log file on my home server has grown to 33mb since July! I haven't done much analysis on it, but it seems to be mostly Chinese bots :) I'm not super happy with it running as root (although creator says it is ok), but was too lazy to do a iptables redirect yet.
All you have to do is go to your firewall and put in their your IP address for Port 22 everyone else is denied that's it. Plus servers come with Administration panels that only allows them to connect two three four five six times whatever you set to but the default is 6 and after that they're kicked off but if they use my previous method they won't even know the port exist.
I can see how this could be useful, but it's still putting a load on your server and any "hacker" worth their salt would have found the SSH server running on the other port using their scanning tools. Fail2ban works well to stop them...but if you are trying to put together a honeynet with a few honeypots to capture data on a apt attacking you, then yes, this is a wonderful solution.
I am impressed, I hope that you paid for it yourself, it is not some material related to it. The world needs young people who are wise, technical ... independent. Greetings from Poland
Please note that Endlessh is NOT meant to replace conventional SSH security methods. You should still set up public-key only authentication and 2FA, as well as tools like iptables, fail2ban and CrowdSec
It's also not meant to protect you from nmap port scans or advanced attacks. Endlessh is a fun way to mess with automated SSH scanners, but that's it.
Hi maybe a dumb question but I find your video very interesting. All of it makes sense to me but isn't it possible to use a tool from kali linux I think that can scan for certain ports on a server?
@@philipweiss2794 Yes, a malicious hacker may port scan your IP and find the other SSH server if they decided to scan all the ports. One possible way to mitigate this is to set your actual ssh server on an uncommon port, implement fail2ban and ssh key authentication. Like wolfgang mentioned though, it's highly unlikely the hacker will bother scanning the other ports and will just move on to another target searching for ssh servers on port 22.
Which commands do hackers use?
I know only sudo rm -rf, but it's useless for hacking.
So they try to load some exploits, maybe?
@@Gameplayer55055 if you are referring to port scanning, a hacker may use a tool called nmap to figure out what services are running on your server/computer. In the video, Wolfgang shows a tool used for ssh bruteforcing called Hydra.
@@Prophet761 no, i want to know procedures after getting control of your server
What do hacker usually do, when he gets control of your server?
Because windows worms basically steal your passwords, and install spyware
You're video is straight to the point and doesn't waste my time to increase your channel view time. Thank you.
@@0x150 your right.
@@matthewmarkose you're right*
@@SnazzieTV woosh!
@@paulreeves8251 woosh!
@ARTHUR DO TELETRANSPORTE Mono = One
Rail = Rail
You should just have the banner be the bee movie script
Shrek*
Just have it recite vogon poetry...
Should have it be Rick roll in ASCII art.
or most of the Old Testament
@@NextLevelCode just every single frame of the music video displayed in ASCII. Make it happen internet.
Love this! There's a simple docker package as well in the docker hub, so quick to deploy! Thanks for bringing this project to me! Such a simple and powerful tarpit!!!
what's the docker image called? is it just endless ssh?
I've been setting up a game server, and I am TOTALLY DOING THIS. Thank you so much for making this video! It never occurred to me to have a 'false front' ssh login, and making it a time sink is a brilliant approach.
I need to know: how often do we have to open the server up to let the trapped hackers out?
Did we need to increase fan speed, to make sure they don't suffocate? If the server is not water cooled, do we need to provide water (and FOOD) for them?
And, lastly, what about sanitation?
This has given me my best laugh in 3 months. Thank you!
🤣🤣👍🤣🤣
man, he said read the FAQ before commenting. Sheesh.
On a 64 bit, no more than 64 hackers, otherwise they will cause a buffer overflow and they will have full control of your cpu, fridge, TV, microwave and lights, also you have to be very careful as they might be female hackers and to me that just screams trojan horse.
Me personally i wouldn't even try to trap one in my PC as they can become very angry and aggressive,
@@imaok4721 A lot of guys wouldn't care, as long as it was a female Trojan horse. Deez bois gotta get out more.
I think in addition to changing your real SSH port, I would also say setting up the SSH server to only accept keys for login would be the next step
That goes without saying 😁
If you have a strong password, there's virtually no difference between password and key authentication.
@@gayusschwulius8490 True, though save that strong password for the key passphrase, even more solid
@@gayusschwulius8490 No, because with key authentication the key never leaves your computer, whereas the password does leave your computer so a malicious actor can pretty easily grab your password if they've compromised the system and if it's reused anywhere else or whatever they now know it, whereas with pubkey auth the key never leaves the PC so physically can't be stolen
@@VoidCraftedGamingHD If you have a really strong password it's probably not reused anywhere because you couldn't remember it so you need a password manager. Also if they compromised your SSH server or your own system there is no difference between password and key because in case 1 they don't need it anyway and in case 2 they can get whatever they want.
moving your SSHD to another port is a good practice, however a simple nmap on your IP will reveal it. Real hacker's script usually does a kind of nmap to list possible vulnerabilities. Good video
I honestly love mitigation techniques like this one; they are simple, effective, and feel a bit trolly ;)
simpler and more effective is to turn off password logins altogether, who even uses those any more
@@computer_toucher well time is money, so if your wasting time with passwords your not making money XD
I used the old honeypot for my ftp server
The real one was on another port on tls
But i just ran one on port 21 to throw off the scanners.
Then also allowing anonymous in a sandbox with specifically tailored ratios and all server messages all being the same so the warez bots wouldnt get wise on it and just fuck up their time trying
My reasons for doing that were absolutely trolly
Although that word wasn't used for it back in 2004 orso lol
@@computer_toucher Valve just used a similar honeypot method to ban thousands of cheaters in Dota 2. Simple, cheap, and effective, and has nothing to do with passwords. An ounce of prevention is worth a pound of cure, and mitigation techniques in cybersecurity is just part of the prevention process.
Lmao, I was able to bypass it by modifying literally one line of my script
Damn I actually love Wolfgang's desk setup so much
@@dbtest117 no apple desktop computers in this house
This is the least efficient way of "protecting" an SSH server I have ever seen, but also the funniest without a doubt
eh its basically just security by obscurity to stop automated botnet random ssh attacks, you definitely should set up a fail2ban as well or ideally just only allow certain devices to ssh onto your server would be the safest.
like the dude said its only a timewaster that you would likely throw into a raspberry pi and enable on all the typical ports someone would use to waste a botnets time and resources from actually doing some damage to someone without security setup like you or I would
Agree on most points but it's not security by obscurity. We camouflage our military vehicles, but they still have armor underneath that camouflage. In this case your armor is public key auth, fail2ban and 2FA on your real SSH server.
no, the least efficient way is just changing the port of SSH and hopping the hacker won't sniff it :p at least now, you have something pretenting to be SSH server and acting like one, and nothing prevent you to put some rules and fail2ban on your real SSH on top of that :p
Agreed! this is even worse than port knocking, just use fail2ban and public key
@@mariosk888 that wasn't my point lmao
Don't run it on a production server or u might end up with 20k simultaneous ssh connections
As to why you have it running on a seperate low power hungry computer. 😉
@@brostenen it would still cause problems for the router, be like a 10 minute delay when opening the connection page (just joking) port scan auto ip block and fail2ban is the way as it just ignores that ip then witch does not use much resources
@@leexgx did you check out what that endless SSH thingi does? you can have 20k connections and prolly use less then 1% of your ressources to keep them busy ... and fail2ban would need more ressources to handle 20k attackers, way more ...
@@Uaellaen fail2ban will ip block after 5 attempts in say in 60 seconds and 2 month ip ban (what ever you have set it to, most will get ip banned in first 1-2 seconds due to high rate of attempts in short time) so any connections once ip banned, it will be ignored so no way it can get to 20k connections because the firewall is flat out ignoring the ip's
@@leexgx but then fail2ban is managing a 20000 line firewall rule, no? That's got to have a hit on firewall performance?
Hacker: let's add a timeout to the script ...
Yeah like if the banner takes more than x to load lol
Chances are the hacker doesn't know about SSH headers
Just call the line in the script which tries the ssh connection using the timeout program.
Amusing, but I would rather setup fail2ban, as your real ssh server can still be hammered. Or do both
I was writing the same thing. 👍🏻
Both is good
run ssh on 22 as normal, configure f2b to a rewrite rule that dumps them to the endlesssh port instead of reject.
Yeah isn't this completely useless after an nmap scan?
@@cosmicpegasis7591 nmap.org/book/nmap-defenses-trickery.html
This is such a fantastic channel. Very well produced. Thanks Wolfgang.
As an addon I would recommend putting your real ssh port on a really high port number. Most hackers use default port scanning of the most common port and dont even scan port 5000+, so yeah :) free tip! :D
So, it's a tarpit. Brill. Also, just FYI, there's an official debian package in buster-backports.
I have my real ssh on a very odd port AND hidden by fwknop, just for a bit of extra; key-only auth of course. But I am actually thinking about installing this...
hmm dont think thats really necessary.. btw if u got multiple hosts i highly recommend setting up a ssh bastion. This way you only have to open 1 ssh port ;)
Who would win:
758 SLOC C program
vs
Single line addition to add timeout to brute force.
Even if they timeout after 15 seconds it's doing the work of drastically slowing them down.
It's not like hackers do everything in series. They can be running parallel attacks, so it's a moot point that they might be slowed down by even a 15 second timeout.
Also, hackers adapt. If they detect what they think is a honeypot, they can always do some port scanning for alternate open SSH ports.
Basically, if port 22 timesout, run port scanner and continue on the new port.
@@Exitof99 that's what i thought too, just do an nmap scan before, who would be so stupid to just assume that there's an ssh server at that ip address and, just go for it....... it would be so dumb
Thanks
My SFTP server has been getting a lot of unwanted attention. I moved the port to a high port number, and protected the connection with Fail2ban. Still lots of unwanted attention. Fail2ban worked but I was getting attacked by hackers who were changing their IP address after every attempt, Fail2ban was banning hundreds of IP addressed an hour.
I tried your sticky honey trap created about 50 sticky ports with the real SFTP and SSH ports amongst them. So far no problems are being recorded in the logs - so thanks
Thanks for sharing this is pretty cool. True someone can script a timeout but the thought of slowing down even for 15 seconds seem to be worth it.
0:46 when you see your password you used on some older sites scroll through the word list....
ahahahahh, sad story
I have a local server that's not previously exposed to the internet, but I installed this and forwarded port 22 on my router to this service just to trap some bots.
Feels like I'm doing a tiny little something to keep the most basic bots busy at least. Great video! I subscribed!
*in theory* provided there are enough servers running Endlessh, someone could do a "SSH amplification DDoS attack" as the script provides an amplification ratio greater than 1, similar concept to NTP amplification DDoS attacks...
Pinned comment
back on early 00's i was part of a community that ran on a telnet/mud chat server. we were never too much of elitist jerks but people got banned every now and then. and at some point someone who got banned got pissed off and spread address of it all around the internet, then we got flooded with people trying brute force attacks, come in to troll or never said an word for days doing god knows what.
at some point the owner had enough and did this thing where all those people would be funneled to a fake chatroom where few days of chat log would replay in a loop plus it would randomly grab a username from them and make up random messages like "hi ", "i agree", "ok", "should we change subjects?" and so.
it was painfully effective, people would only realize something was wrong after they saw chat repeating since we only had something like 2 days of logs. eventually random people got caught into it and everyone felt really bad for making some poor random talk to a walk for days and turned the whole thing off
scripts will just adapt to close the connection after 10 second timeout and try another port
This or just do an nmap scan to see open SSH ports. nmap is the very first thing I'd do anyway.
@@xtra9996 i think the video is talking about automated scripts hunting the internet to find vulnerable ssh servers. but yeah if they have a particular target in mind they'd definitely start with nmap, and not just on the nmap default ports
@@anserinae i'm saying the 10 second timeout should be added to the client side script. i suspect this has already been done
@@mulllhausen Okay, but you can automate nmap as well.
@@xtra9996 err sure. The point of the honeypot is that the attacker has already found your SSH server and now is trying to use it to access your system.
Though I wonder if this could potentially introduce a new threat surface. Haven’t looked at the code yet though.
Potentially, but I imagine that it be like a door on a wall kind of deal as there is no connection to the real server, yes the person might be able to break through the wall but it doesn't lead to anywhere
Does it run as root? If so then it's better be perfect and not have any buffer overflows or anything
@@Sergeeeek That's why you don't run it as root. You run it on a non-privileged port, its default is 2222, as a normal user. I've done this and then done a NAT port redirect from port 22 to 2222 for clients that are not permitted access.
@@parkamark makes sense. Didn't think of port redirection
@Irish Catholic Resistance the tarpit never starts the exchange. this program speaks zero ssh (or any) protocol. it is simply a reverse slowloris spewing gibberish to keep the channel alive. any client that times out after failure to receive SSH2_MSG_KEXINIT will bail. a lot of clients will happily wait forever for it. that's why this works.
That cutaway to the “hacker” at the beginning cures my depression.
I deployed this on my server the other day (I already had SSH on a different port than default and set up public key login only) and I’ve already had countless bots attempt to SSH in. Some got stuck for over 20 minutes. There’s been bots from Russia, China, Peru, the UK, South Korea, all over the damn place.
Pretty cool knowing that not only am I doing my part to waste these assholes’ time, but I’m also better protecting my server. I’m willing to bet that with a number of these bots, after they get trapped in the tarpit they probably blacklist your server’s IP so they don’t waste their time again.
Wow a 5 minute video with 5 minutes of solid information. Not a 11 minute video with 2 minutes of eh information. You just earned yourself a sub and a spot on my whitelist, something very very few CZcamsrs get from me.
The only flaw I can see is when the hackers sees the login attempts slow down to a crawl, they're going to know they're stuck in Endlessh and just exit out. Stick them into port 22, keep the speed at normal, but also make sure that even if they happen to get the right password, it fails and they keep on going. Like you say, they could waste months even though they hit the correct password ten hours after starting.
If you're doing anything automated with ssh you really don't want to let the client timeout by itself, it'll take forever (or, in this case, never do so).
Adding something like this *_-o ConnectTimeout=3_* to your client arguments should usually be enough, but in some cases (e.g. remote automated tunnels over very unreliable connections) it could still hang for a long time.
So, just to use the above and a wrapper that kill ssh if it hangs to much. Or write your own client.
I don't think many will fall in such a tarpit. Not even many script kiddies as the scripts they downloaded, without understanding, will likely take care of such a scenario for them.
back in the early 90`s I had a remote login attempt, traced the ip, it was a school with a known address and ip, called them, spoke to the principal, they were baffeled and did not know what I was talking about. "There are some kids in your computer room trying to login into other servers". Funny stuff back then.
holy crap. I just did "sudo lastb -a | more" on my vps and found hundreds of attempts made today!
@mister.T Jr Thanks! I replaced it with a 5-digit port. No new login attempts yet
@@unverifiedapk My public IP changes daily.
@@unverifiedapk BT in UK. I know it happens because I have to automate cloudflare updates for my website and VPN. Have to pay extra for a private IP.
@@unverifiedapk if your on cable, DOCSIS tech it's normally semi static but basically is static as long as your router is not been disconnected for more then 8 days (I won't say the other way you can change it as its fun permanently banning cable connections)
vdsl and adsl every reconnect is a new ip, unless you pay for a static (unsure but I would assume FTTP is same as vdsl/adsl unless you pay for static)
This is how it is generally works world wide
use RSA key authentication instead of password
Or, you could setup Guacamole so you can ssh from there and setup endlessh for those trying to connect directly.
There have never been escalation vulnerabilities. This is 100 expert advice from a guy who knows his 1s and 0s!
Aha! joke's on you, for now I will use this information to reformulate my new evil master plan! it will be perfect next time!
_[laughs maniacally]_
fragile;
propably the best description for a mac
It’s my Debian NAS 😂
@@WolfgangsChannel sad apple hate noises...
It would be nice if you could set this up in a way where you could keep ssh on the default port, but only lock up their ssh session if they enter a password from the common default password list.
So if you enter an incorrect password like soi3$%as1s, the authentication would just fail, but if you tried something in a predefined list like "hunter2" or "123456", it would lock up the session with the banner. Not sure if something like that would be possible.
A lot of attackers don't just try the default port, they scan your ip and will see the other port as well.
However, having a banner some pages long on your regular login address would still slow a brute force/dict attack to a crawl and not be worth doing.
I’m so glad I found your channel. I’m just on the back log of watching every video you have, haha. You’re very knowledgeable and I love the humour in your videos. I know this is an older video but I was wondering what is your profession in day to day life? Thanks again for the quality content.
I'm a frontend developer/UI designer :)
@@WolfgangsChannel thank you for the response. I kind of gathered because of how 2nd nature it is to you! I’m trying to learn bits and bobs. Thanks again for the awesome content. Have a good day sir!
2/10 no actual bonk meme included
silly question. Couldn't you just do an nmap scan and figure out the actual port is 69?
hey! i am kinda beginner in cybersecurity staff but here information that i know
nmap scan scans top 1000 common ports so if port 69 is not in top 1000 then I believe there wouldn't be a problem
UNLESS if a hacker is not script kidde(aka a professional hacker) and he *really* wants to hack your server,
he can simply run "nmap -p- YOUR_SERVER_IP" which will probably expose endlessh and real SSH
but nobody wants to use the -p- flag(scan all port) because nobody wants to waste their time hacking your horse tinder dating app
note -p- is *minus p minus* but yt convert it into strikethrough
You could, but this is to prevent mass scanning. Scanning thousands of ports on every device on the internet is way more resource intensive than the average skid can pull off
That thumbnail is perfection 👌
Thanks for the laugh @2:14.
Now we need fail2endless!
you can do that already :p setup fail2ban to not iptables drop them but forward them to endless ssh
4 dislikers are black hat hackers.
40
this is awesome, i love the idea of just teaching people to stop doing shoot the hard way
Ah yes, the slow loris in reverse, great idea!
I just moved my SSH server to a different port, have done so for a very long time, I'd rather people not know my computer is there at all.
I have also recently set up wireguard VPN server and SSH in over that for some extra obscurity.
But just moving ports is good enough, not seen anyone try to login but myself.
yep that's waht I do with all my servers that are publicly visible, and also for the most part on the lan too, it's just not a good idea to use the "standard" if you can avoid it.
Though one thing I've been looking at is changing the response of a nmap scan or what ever.
I found a post from 2007 that had some code that would make your server advertise any port as any random service, so that it would essentially make your one IP look like a whole host of servers. this means that if you get the answer "port 69 is ssh" it could actually be a website, making anybody nosy enough have to investigate further, and trying to connect with the wrong protocol would make you waste a lot of time.
But in his final note he added "due to the legality of such a project I'm not sure I can continue publishing this" and I haven't found anything that does exactly that.
It really sounds like a great idea, but I have no idea how you could do that.
Well... If they dont see a "server" at the usual port, then they know that something funky is going down. Better lure them with some psychology trick. 😉
Strange, on the servers we are using when someone fails to fill in the right credentials within 5 minutes the IP is blocked...
He says it's the boring way to protect servers. It's only a funny way and tbh why not adding this on top of fail2ban
Also useless if the IP changes constantly
@@auronkardek id just do it for fun and to troll hackers
@@hetayy Yes, because attackers have an endless supply of IP's. LOL.
If one was sepecifically targeting you they would scan for open ports first and notice that there are two ssh services running.
In that case it wouldn't be of much help. But to be honest, that is highly unlikely. Most of the time it will be a random attack and against that I really love this method.
1. If you are the only ones using SSH, lock it down to only IPs that you expect or ranges of IPs local to yours.
2. If you are running a shared host, this would never work. Customers would try the default port even if you instructed them which port is actually SSH.
1:29 XD Nice vid btw
You scan for open Ports. So even If your SSH ist running on a different Port IT wont be hard to find IT. I would personally Just diactivate IT If you are running your Server at Home
You overestimate ssh spraying attacks. They don't care about servers with a better login then admin admin. Or another ssh Port. If they do they are attacking you specifically and you should worry avout that. But if you really wanna make sure only you get into your server over the internet use a certificate for authentication.
Sounds similar to what we would put into a .plan or .project file back in the day on our Unix-like systems, when 9600 baud was “high speed”, so that when some user tried to use the finger command with your account, they would get this very lengthy animated plaintext message. Had to keep the stuff in a single line, and it used special characters, and the university banned such use of .plan and .project as a result of user complaints.
Reverse slow loris in a way... I love it.
I wonder how many bruteforce attackers it would take to generate any kind of measurable load on that machine if it only respods with 1 line every several seconds :D
Very cool stuff - thanks for sharing!
The number of attackers doesn't matter. The one line every second will limit it to zero even on a raspberry Pi. Only problem with that hard delay, you might end up having a hard time getting on you own machine.
I just looked at my auth logs and saw:
rustserver
steam
alpine
root
That’s such an easy thing to go around, that I don’t think it even matters
You can skip the banner using 'ssh -q' so it might be already in every serious hackers script
Well this is relevant to me xD (wasnt using the normal port of cause but still got spammed with these) i just stop port forwarding ssh and just using OpenVPN to my house then ssh in.
That's very cool, however if they find out that the sshd server is running on another port like 69 in your case using a port scan, they'd be able to attack it directly once again. So you need firewalling / blaclisting / fail2ban / VPN as additional measures. + of course public key auth instead of plain text passwords.
This was all over my mind, the attacker would def do reconnaissance before attacking (script-kiddies aside)
0:20. Lol at the dude trying to hack, ha ha
Thanks for this video. Looks fun. I'll do it. Also, glad to see another fish user!
2:15 я сейчас буду сканить все порты
Лол
Поворот сюжета: во всех портах есть ямы с гудроном
I feel like you are going to make a lot of people lock themselves out of their server since you didn't show how to change the actual ssh server port
Endlessh won't launch if the port 22 is already taken, no worries :)
You know what would be better? if someone would write a virtual SSH program that would allow the hackers to log in and do anything they want in an environment that isn't actually attached to your computer. so they can sit there and run all the commands they want and navigate a fake file system and look through your fake files.. that would waste a lot more of their time if you ask me
You're describing a honey pot.
thanks for your video. It would be helpful if you could compose a video that shows us all the places (directories ,files) a hacker goes to install his programs or make changes. Using linux and/or terminal on mac. thanks again
That would highly depend on the hacker, there are too many options. If you’re concerned with whether your system has been hacked, you can try running rkhunter to see whether it detects any known rootkits
Easy fix against this protection: Use timeout in your bruteforce script, lmao
All those script kiddies would be very angry at this comment, if they could read.
@@WolfgangsChannel yeah, are we really sure the majority of these brute force scripts don't just use ConnectTimeout?
Спасибо за подсказку :-)
Я не могу понять, он русскоговорящий или нет, английский смешанный, где то хорош акцент, а где то как будто русский. Похож на английский восточной Европы какой нибудь или американских пригородов
@@denys.martyniuk русский он
my eyes: "Well made video"
my brain: "this guy seems legit"
my right-hand index finger: "Click Subscribe"
There's a reason this is one of the only channels covering this stuff.
Never ever ever trust a library that a pre selected CZcamsr is providing you.
Google has their influencers provide insecure scripts all the time as another way to monitor you
Cool! Never knew you could show a banner before getting into the server. thanks for the video :)
That thumbnail tho. XD
I really like this concept!
Superb video contains deep knowledge... Keep on going brother
Bluehat: Forcing skiddies to stare at text banners to halt them in their tracks
Goldhat: Forcing skiddies to stare at BANNER ADS to pay you while they do it.
Platinumhat: Forcing skiddies to stare at Richard Stallman's interjection copypasta.
Dude your content is great, so glad i'm subscribed, keep it up ! :)
Nice internet survival stuff. Keep up fellow black hat.
i love how people in the comments suggest better ideas for securing, when this is not even the point of the video :D
idk what the fuck an ssh even is but i like this this is good
just found your channel and it's DOPE AF! instant subbed!
FYI - if anyone is running into issues with make command (CentOs) and getting "make: cc: Command not found" error, just do a sudo yum install gcc. That will make sure you have the compiler in place.
Are there really people who run a Linux distro without gcc installed? Lmao
@@gayusschwulius8490 If someone is building from a fresh install, say on Digital Ocean and haven't had a need to compile anything, they may run into this. While I agree with you that gcc is a staple, I wanted to make sure that base is covered for them - just in case.
I wish I knew what you were doing and how to even begin to try such a thing, but it is awesome!
Imagine getting a low power low spec raspberry pi and just having it act as honeypot while you have all your other servers/devices just sit there being able to do their normal work undisturbed
I normally set mine up to ban an IP if it fails to type the correct password in. Basically an instaban. I use pubkeys, so if anyone connects to my SSH without the key, they get instabanned :)
The server I had set up at the time was literally just a Minecraft server. No one needs SSH on a Minecraft server except me so if you're even just trying to SSH for no reason, you get auto ban hammered with no chance of unbanning since to me, you're a risk :)
If I ever open a new server though, I'm definitely doing this!
This is most epic name WOLFGANG
I find port knocking to be the best solution to protect your ssh port
CZcams algorithm brought me here. GREAT video!!
I love this program! endlessh.log file on my home server has grown to 33mb since July! I haven't done much analysis on it, but it seems to be mostly Chinese bots :) I'm not super happy with it running as root (although creator says it is ok), but was too lazy to do a iptables redirect yet.
Cheems is in the miniature, excellent service 10/10
Keep fighting the good fight.
All you have to do is go to your firewall and put in their your IP address for Port 22 everyone else is denied that's it.
Plus servers come with Administration panels that only allows them to connect two three four five six times whatever you set to but the default is 6 and after that they're kicked off but if they use my previous method they won't even know the port exist.
I got a script kiddie attacking me over the last week now. I changed the banner to a snarky statement but this is soo much better!
It's all fun before hacker escapes jail
The troll part is fun but Won’t this cause increased network bandwidth consumed by the server when malicious login attempts are made?
You look like you would look good with a austrianpainterAdolf mustache
A good example of working #SSH bypass.
I can see how this could be useful, but it's still putting a load on your server and any "hacker" worth their salt would have found the SSH server running on the other port using their scanning tools. Fail2ban works well to stop them...but if you are trying to put together a honeynet with a few honeypots to capture data on a apt attacking you, then yes, this is a wonderful solution.
Pinned comment
I am impressed, I hope that you paid for it yourself, it is not some material related to it. The world needs young people who are wise, technical ... independent. Greetings from Poland
not bad. Thats something that I just learned.