这篇文章上次修改于 262 天前,可能其部分内容已经发生变化,如有疑问可询问作者。

一个简单的SSH粘性蜜罐。

Endlessh 是一个 SSH 粘性蜜罐(tarpit),它会打开一个套接字并伪装成一个 SSH 服务器,非常缓慢地发送一个无休止的随机 SSH banner,使 SSH 客户端一次锁定数小时甚至数天。目的是将真正的 SSH 服务器放在另一个端口上,而在虚假的服务器上卡住入侵者,防止其影响到真正的服务器。

Endlessh 不依赖于任何加密库,它是一个简单的单线程独立 C 程序,使用 poll() 一次可以捕获多个客户端。

编译使用

编译为二进制文件

git clone https://github.com/skeeto/endlessh.git 
cd  endlessh
make

使用endlessh

chmod u+x endlessh
./endlessh 
./endlessh -v #带日志输出
./endlessh -v >endlessh.log 2>endlessh.err #将日志输出到文件
./endleshh -f config #指定配置文件,默认配置文件为/etc/endlessh/config

配置文件模板

# The port on which to listen for new SSH connections.
Port 22

# The endless banner is sent one line at a time. This is the delay
# in milliseconds between individual lines.
Delay 10000

# The length of each line is randomized. This controls the maximum
# length of each line. Shorter lines may keep clients on for longer if
# they give up after a certain number of bytes.
MaxLineLength 32

# Maximum number of connections to accept at a time. Connections beyond
# this are not immediately rejected, but will wait in the queue.
MaxClients 4096

# Set the detail level for the log.
#   0 = Quiet
#   1 = Standard, useful log messages
#   2 = Very noisy debugging information
LogLevel 0

# Set the family of the listening socket
#   0 = Use IPv4 Mapped IPv6 (Both v4 and v6, default)
#   4 = Use IPv4 only
#   6 = Use IPv6 only
BindFamily 0

使用Docker搭建

git clone https://github.com/skeeto/endlessh.git 
cd  endlessh
docker build . -t endlessh:v1 #构筑docker镜像
docker run -it --name=endlessh -p 22:2222 endlessh #生成容器,并映射到22端口

修改系统SSH端口

vim /etc/ssh/sshd_config
#Port 22
Port 2233
#将系统SSH端口号修改为2233

SSH 粘性蜜罐 Endlessh
Endlessh: an SSH tarpit