SSH Honeypot in 4 Minutes - Trap Hackers in Your Server
ฝัง
- เผยแพร่เมื่อ 12 ต.ค. 2020
- In this video I'll show you a funny way to protect your SSH server from hackers, script kiddies and Chinese botnets, using Endlessh by Chris Wellons
Endlessh (GitHub): github.com/skeeto/endlessh
Support the channel:
Patreon / wolfgangschannel
PayPal (one time donation) www.paypal.com/donate/?hosted...
Follow me:
Twitter / notthebeeee
GitHub github.com/notthebee
Music:
A.M. Beef - Takama no Hara
Ian Post - Electricity - วิทยาศาสตร์และเทคโนโลยี
![CAMPปลิ้น | EP.75[2/2] คุยแบบนี้แล้วจะจบกี่โมงพ่ะย่ะค่ะ!!!](http://i.ytimg.com/vi/N6E8njWH7Zg/mqdefault.jpg)
Please note that Endlessh is NOT meant to replace conventional SSH security methods. You should still set up public-key only authentication and 2FA, as well as tools like iptables, fail2ban and CrowdSec
It's also not meant to protect you from nmap port scans or advanced attacks. Endlessh is a fun way to mess with automated SSH scanners, but that's it.
Hi maybe a dumb question but I find your video very interesting. All of it makes sense to me but isn't it possible to use a tool from kali linux I think that can scan for certain ports on a server?
@@philipweiss2794 Yes, a malicious hacker may port scan your IP and find the other SSH server if they decided to scan all the ports. One possible way to mitigate this is to set your actual ssh server on an uncommon port, implement fail2ban and ssh key authentication. Like wolfgang mentioned though, it's highly unlikely the hacker will bother scanning the other ports and will just move on to another target searching for ssh servers on port 22.
Which commands do hackers use?
I know only sudo rm -rf, but it's useless for hacking.
So they try to load some exploits, maybe?
@@Gameplayer55055 if you are referring to port scanning, a hacker may use a tool called nmap to figure out what services are running on your server/computer. In the video, Wolfgang shows a tool used for ssh bruteforcing called Hydra.
@@Prophet761 no, i want to know procedures after getting control of your server
What do hacker usually do, when he gets control of your server?
Because windows worms basically steal your passwords, and install spyware
You should just have the banner be the bee movie script
Shrek*
Just have it recite vogon poetry...
Should have it be Rick roll in ASCII art.
or most of the Old Testament
@@NextLevelCode just every single frame of the music video displayed in ASCII. Make it happen internet.
You're video is straight to the point and doesn't waste my time to increase your channel view time. Thank you.
@@0x150 your right.
@@matthewmarkose you're right*
@@SnazzieTV woosh!
@@paulreeves8251 woosh!
@ARTHUR DO TELETRANSPORTE Mono = One
Rail = Rail
I need to know: how often do we have to open the server up to let the trapped hackers out?
Did we need to increase fan speed, to make sure they don't suffocate? If the server is not water cooled, do we need to provide water (and FOOD) for them?
And, lastly, what about sanitation?
This has given me my best laugh in 3 months. Thank you!
🤣🤣👍🤣🤣
man, he said read the FAQ before commenting. Sheesh.
On a 64 bit, no more than 64 hackers, otherwise they will cause a buffer overflow and they will have full control of your cpu, fridge, TV, microwave and lights, also you have to be very careful as they might be female hackers and to me that just screams trojan horse.
Me personally i wouldn't even try to trap one in my PC as they can become very angry and aggressive,
@@imaok4721 A lot of guys wouldn't care, as long as it was a female Trojan horse. Deez bois gotta get out more.
I've been setting up a game server, and I am TOTALLY DOING THIS. Thank you so much for making this video! It never occurred to me to have a 'false front' ssh login, and making it a time sink is a brilliant approach.
Love this! There's a simple docker package as well in the docker hub, so quick to deploy! Thanks for bringing this project to me! Such a simple and powerful tarpit!!!
what's the docker image called? is it just endless ssh?
This is such a fantastic channel. Very well produced. Thanks Wolfgang.
Don't run it on a production server or u might end up with 20k simultaneous ssh connections
As to why you have it running on a seperate low power hungry computer. 😉
@@brostenen it would still cause problems for the router, be like a 10 minute delay when opening the connection page (just joking) port scan auto ip block and fail2ban is the way as it just ignores that ip then witch does not use much resources
@@leexgx did you check out what that endless SSH thingi does? you can have 20k connections and prolly use less then 1% of your ressources to keep them busy ... and fail2ban would need more ressources to handle 20k attackers, way more ...
@@Uaellaen fail2ban will ip block after 5 attempts in say in 60 seconds and 2 month ip ban (what ever you have set it to, most will get ip banned in first 1-2 seconds due to high rate of attempts in short time) so any connections once ip banned, it will be ignored so no way it can get to 20k connections because the firewall is flat out ignoring the ip's
@@leexgx but then fail2ban is managing a 20000 line firewall rule, no? That's got to have a hit on firewall performance?
I think in addition to changing your real SSH port, I would also say setting up the SSH server to only accept keys for login would be the next step
That goes without saying 😁
If you have a strong password, there's virtually no difference between password and key authentication.
@@gayusschwulius8490 True, though save that strong password for the key passphrase, even more solid
@@gayusschwulius8490 No, because with key authentication the key never leaves your computer, whereas the password does leave your computer so a malicious actor can pretty easily grab your password if they've compromised the system and if it's reused anywhere else or whatever they now know it, whereas with pubkey auth the key never leaves the PC so physically can't be stolen
@@VoidCraftedGamingHD If you have a really strong password it's probably not reused anywhere because you couldn't remember it so you need a password manager. Also if they compromised your SSH server or your own system there is no difference between password and key because in case 1 they don't need it anyway and in case 2 they can get whatever they want.
I honestly love mitigation techniques like this one; they are simple, effective, and feel a bit trolly ;)
simpler and more effective is to turn off password logins altogether, who even uses those any more
@@computer_toucher well time is money, so if your wasting time with passwords your not making money XD
I used the old honeypot for my ftp server
The real one was on another port on tls
But i just ran one on port 21 to throw off the scanners.
Then also allowing anonymous in a sandbox with specifically tailored ratios and all server messages all being the same so the warez bots wouldnt get wise on it and just fuck up their time trying
My reasons for doing that were absolutely trolly
Although that word wasn't used for it back in 2004 orso lol
@@computer_toucher Valve just used a similar honeypot method to ban thousands of cheaters in Dota 2. Simple, cheap, and effective, and has nothing to do with passwords. An ounce of prevention is worth a pound of cure, and mitigation techniques in cybersecurity is just part of the prevention process.
Lmao, I was able to bypass it by modifying literally one line of my script
Thanks for sharing this is pretty cool. True someone can script a timeout but the thought of slowing down even for 15 seconds seem to be worth it.
moving your SSHD to another port is a good practice, however a simple nmap on your IP will reveal it. Real hacker's script usually does a kind of nmap to list possible vulnerabilities. Good video
This is the least efficient way of "protecting" an SSH server I have ever seen, but also the funniest without a doubt
eh its basically just security by obscurity to stop automated botnet random ssh attacks, you definitely should set up a fail2ban as well or ideally just only allow certain devices to ssh onto your server would be the safest.
like the dude said its only a timewaster that you would likely throw into a raspberry pi and enable on all the typical ports someone would use to waste a botnets time and resources from actually doing some damage to someone without security setup like you or I would
Agree on most points but it's not security by obscurity. We camouflage our military vehicles, but they still have armor underneath that camouflage. In this case your armor is public key auth, fail2ban and 2FA on your real SSH server.
no, the least efficient way is just changing the port of SSH and hopping the hacker won't sniff it :p at least now, you have something pretenting to be SSH server and acting like one, and nothing prevent you to put some rules and fail2ban on your real SSH on top of that :p
Agreed! this is even worse than port knocking, just use fail2ban and public key
@@mariosk888 that wasn't my point lmao
Amusing, but I would rather setup fail2ban, as your real ssh server can still be hammered. Or do both
I was writing the same thing. 👍🏻
Both is good
run ssh on 22 as normal, configure f2b to a rewrite rule that dumps them to the endlesssh port instead of reject.
Yeah isn't this completely useless after an nmap scan?
@@cosmicpegasis7591 nmap.org/book/nmap-defenses-trickery.html
Damn I actually love Wolfgang's desk setup so much
@@dbtest117 no apple desktop computers in this house
Hacker: let's add a timeout to the script ...
Yeah like if the banner takes more than x to load lol
Chances are the hacker doesn't know about SSH headers
Just call the line in the script which tries the ssh connection using the timeout program.
0:46 when you see your password you used on some older sites scroll through the word list....
ahahahahh, sad story
I have a local server that's not previously exposed to the internet, but I installed this and forwarded port 22 on my router to this service just to trap some bots.
Feels like I'm doing a tiny little something to keep the most basic bots busy at least. Great video! I subscribed!
I’m so glad I found your channel. I’m just on the back log of watching every video you have, haha. You’re very knowledgeable and I love the humour in your videos. I know this is an older video but I was wondering what is your profession in day to day life? Thanks again for the quality content.
I'm a frontend developer/UI designer :)
@@WolfgangsChannel thank you for the response. I kind of gathered because of how 2nd nature it is to you! I’m trying to learn bits and bobs. Thanks again for the awesome content. Have a good day sir!
Dude your content is great, so glad i'm subscribed, keep it up ! :)
Who would win:
758 SLOC C program
vs
Single line addition to add timeout to brute force.
Even if they timeout after 15 seconds it's doing the work of drastically slowing them down.
It's not like hackers do everything in series. They can be running parallel attacks, so it's a moot point that they might be slowed down by even a 15 second timeout.
Also, hackers adapt. If they detect what they think is a honeypot, they can always do some port scanning for alternate open SSH ports.
Basically, if port 22 timesout, run port scanner and continue on the new port.
@@Exitof99 that's what i thought too, just do an nmap scan before, who would be so stupid to just assume that there's an ssh server at that ip address and, just go for it....... it would be so dumb
As an addon I would recommend putting your real ssh port on a really high port number. Most hackers use default port scanning of the most common port and dont even scan port 5000+, so yeah :) free tip! :D
this is awesome, i love the idea of just teaching people to stop doing shoot the hard way
Cool! Never knew you could show a banner before getting into the server. thanks for the video :)
scripts will just adapt to close the connection after 10 second timeout and try another port
This or just do an nmap scan to see open SSH ports. nmap is the very first thing I'd do anyway.
@@xtra9996 i think the video is talking about automated scripts hunting the internet to find vulnerable ssh servers. but yeah if they have a particular target in mind they'd definitely start with nmap, and not just on the nmap default ports
@@anserinae i'm saying the 10 second timeout should be added to the client side script. i suspect this has already been done
@@mulllhausen Okay, but you can automate nmap as well.
@@xtra9996 err sure. The point of the honeypot is that the attacker has already found your SSH server and now is trying to use it to access your system.
So, it's a tarpit. Brill. Also, just FYI, there's an official debian package in buster-backports.
I have my real ssh on a very odd port AND hidden by fwknop, just for a bit of extra; key-only auth of course. But I am actually thinking about installing this...
hmm dont think thats really necessary.. btw if u got multiple hosts i highly recommend setting up a ssh bastion. This way you only have to open 1 ssh port ;)
Thanks for this video. Looks fun. I'll do it. Also, glad to see another fish user!
just found your channel and it's DOPE AF! instant subbed!
Though I wonder if this could potentially introduce a new threat surface. Haven’t looked at the code yet though.
Potentially, but I imagine that it be like a door on a wall kind of deal as there is no connection to the real server, yes the person might be able to break through the wall but it doesn't lead to anywhere
Does it run as root? If so then it's better be perfect and not have any buffer overflows or anything
@@Sergeeeek That's why you don't run it as root. You run it on a non-privileged port, its default is 2222, as a normal user. I've done this and then done a NAT port redirect from port 22 to 2222 for clients that are not permitted access.
@@parkamark makes sense. Didn't think of port redirection
@Irish Catholic Resistance the tarpit never starts the exchange. this program speaks zero ssh (or any) protocol. it is simply a reverse slowloris spewing gibberish to keep the channel alive. any client that times out after failure to receive SSH2_MSG_KEXINIT will bail. a lot of clients will happily wait forever for it. that's why this works.
Or, you could setup Guacamole so you can ssh from there and setup endlessh for those trying to connect directly.
That cutaway to the “hacker” at the beginning cures my depression.
I really like this concept!
holy crap. I just did "sudo lastb -a | more" on my vps and found hundreds of attempts made today!
@mister.T Jr Thanks! I replaced it with a 5-digit port. No new login attempts yet
@@unverifiedapk My public IP changes daily.
@@unverifiedapk BT in UK. I know it happens because I have to automate cloudflare updates for my website and VPN. Have to pay extra for a private IP.
@@unverifiedapk if your on cable, DOCSIS tech it's normally semi static but basically is static as long as your router is not been disconnected for more then 8 days (I won't say the other way you can change it as its fun permanently banning cable connections)
vdsl and adsl every reconnect is a new ip, unless you pay for a static (unsure but I would assume FTTP is same as vdsl/adsl unless you pay for static)
This is how it is generally works world wide
use RSA key authentication instead of password
The only flaw I can see is when the hackers sees the login attempts slow down to a crawl, they're going to know they're stuck in Endlessh and just exit out. Stick them into port 22, keep the speed at normal, but also make sure that even if they happen to get the right password, it fails and they keep on going. Like you say, they could waste months even though they hit the correct password ten hours after starting.
Thanks
My SFTP server has been getting a lot of unwanted attention. I moved the port to a high port number, and protected the connection with Fail2ban. Still lots of unwanted attention. Fail2ban worked but I was getting attacked by hackers who were changing their IP address after every attempt, Fail2ban was banning hundreds of IP addressed an hour.
I tried your sticky honey trap created about 50 sticky ports with the real SFTP and SSH ports amongst them. So far no problems are being recorded in the logs - so thanks
I wish I knew what you were doing and how to even begin to try such a thing, but it is awesome!
1:29 XD Nice vid btw
Wow a 5 minute video with 5 minutes of solid information. Not a 11 minute video with 2 minutes of eh information. You just earned yourself a sub and a spot on my whitelist, something very very few TH-camrs get from me.
Superb video contains deep knowledge... Keep on going brother
That thumbnail is perfection 👌
fragile;
propably the best description for a mac
It’s my Debian NAS 😂
@@WolfgangsChannel sad apple hate noises...
silly question. Couldn't you just do an nmap scan and figure out the actual port is 69?
If one was sepecifically targeting you they would scan for open ports first and notice that there are two ssh services running.
In that case it wouldn't be of much help. But to be honest, that is highly unlikely. Most of the time it will be a random attack and against that I really love this method.
back on early 00's i was part of a community that ran on a telnet/mud chat server. we were never too much of elitist jerks but people got banned every now and then. and at some point someone who got banned got pissed off and spread address of it all around the internet, then we got flooded with people trying brute force attacks, come in to troll or never said an word for days doing god knows what.
at some point the owner had enough and did this thing where all those people would be funneled to a fake chatroom where few days of chat log would replay in a loop plus it would randomly grab a username from them and make up random messages like "hi ", "i agree", "ok", "should we change subjects?" and so.
it was painfully effective, people would only realize something was wrong after they saw chat repeating since we only had something like 2 days of logs. eventually random people got caught into it and everyone felt really bad for making some poor random talk to a walk for days and turned the whole thing off
I just moved my SSH server to a different port, have done so for a very long time, I'd rather people not know my computer is there at all.
I have also recently set up wireguard VPN server and SSH in over that for some extra obscurity.
But just moving ports is good enough, not seen anyone try to login but myself.
yep that's waht I do with all my servers that are publicly visible, and also for the most part on the lan too, it's just not a good idea to use the "standard" if you can avoid it.
Though one thing I've been looking at is changing the response of a nmap scan or what ever.
I found a post from 2007 that had some code that would make your server advertise any port as any random service, so that it would essentially make your one IP look like a whole host of servers. this means that if you get the answer "port 69 is ssh" it could actually be a website, making anybody nosy enough have to investigate further, and trying to connect with the wrong protocol would make you waste a lot of time.
But in his final note he added "due to the legality of such a project I'm not sure I can continue publishing this" and I haven't found anything that does exactly that.
It really sounds like a great idea, but I have no idea how you could do that.
Well... If they dont see a "server" at the usual port, then they know that something funky is going down. Better lure them with some psychology trick. 😉
4 dislikers are black hat hackers.
40
Brilliant. This is a video worth watching :)
thanks.
Very good stuff. Thank you.
2/10 no actual bonk meme included
Strange, on the servers we are using when someone fails to fill in the right credentials within 5 minutes the IP is blocked...
He says it's the boring way to protect servers. It's only a funny way and tbh why not adding this on top of fail2ban
Also useless if the IP changes constantly
@@auronkardek id just do it for fun and to troll hackers
@@hetayy Yes, because attackers have an endless supply of IP's. LOL.
If you're doing anything automated with ssh you really don't want to let the client timeout by itself, it'll take forever (or, in this case, never do so).
Adding something like this *_-o ConnectTimeout=3_* to your client arguments should usually be enough, but in some cases (e.g. remote automated tunnels over very unreliable connections) it could still hang for a long time.
So, just to use the above and a wrapper that kill ssh if it hangs to much. Or write your own client.
I don't think many will fall in such a tarpit. Not even many script kiddies as the scripts they downloaded, without understanding, will likely take care of such a scenario for them.
There have never been escalation vulnerabilities. This is 100 expert advice from a guy who knows his 1s and 0s!
Well this is relevant to me xD (wasnt using the normal port of cause but still got spammed with these) i just stop port forwarding ssh and just using OpenVPN to my house then ssh in.
It would be nice if you could set this up in a way where you could keep ssh on the default port, but only lock up their ssh session if they enter a password from the common default password list.
So if you enter an incorrect password like soi3$%as1s, the authentication would just fail, but if you tried something in a predefined list like "hunter2" or "123456", it would lock up the session with the banner. Not sure if something like that would be possible.
I deployed this on my server the other day (I already had SSH on a different port than default and set up public key login only) and I’ve already had countless bots attempt to SSH in. Some got stuck for over 20 minutes. There’s been bots from Russia, China, Peru, the UK, South Korea, all over the damn place.
Pretty cool knowing that not only am I doing my part to waste these assholes’ time, but I’m also better protecting my server. I’m willing to bet that with a number of these bots, after they get trapped in the tarpit they probably blacklist your server’s IP so they don’t waste their time again.
It's in the ubuntu focal repositories. Many thanks, great tip!
Now we need fail2endless!
you can do that already :p setup fail2ban to not iptables drop them but forward them to endless ssh
I wonder how many bruteforce attackers it would take to generate any kind of measurable load on that machine if it only respods with 1 line every several seconds :D
Very cool stuff - thanks for sharing!
The number of attackers doesn't matter. The one line every second will limit it to zero even on a raspberry Pi. Only problem with that hard delay, you might end up having a hard time getting on you own machine.
back in the early 90`s I had a remote login attempt, traced the ip, it was a school with a known address and ip, called them, spoke to the principal, they were baffeled and did not know what I was talking about. "There are some kids in your computer room trying to login into other servers". Funny stuff back then.
ill sub to this guy, for giving me ideas to literally mess up the hackers
Спасибо за подсказку :-)
Я не могу понять, он русскоговорящий или нет, английский смешанный, где то хорош акцент, а где то как будто русский. Похож на английский восточной Европы какой нибудь или американских пригородов
@@denys.martyniuk русский он
2:15 я сейчас буду сканить все порты
Лол
Поворот сюжета: во всех портах есть ямы с гудроном
That is a really good piece of software. Should definitely check this out!
Great short video with good production, 👌
You scan for open Ports. So even If your SSH ist running on a different Port IT wont be hard to find IT. I would personally Just diactivate IT If you are running your Server at Home
You overestimate ssh spraying attacks. They don't care about servers with a better login then admin admin. Or another ssh Port. If they do they are attacking you specifically and you should worry avout that. But if you really wanna make sure only you get into your server over the internet use a certificate for authentication.
I just looked at my auth logs and saw:
rustserver
steam
alpine
root
Good job! Great work.
Thank you for the infomation, question: have you tried to install a honeyspot? to see what these bots do after logging in
That's very cool, however if they find out that the sshd server is running on another port like 69 in your case using a port scan, they'd be able to attack it directly once again. So you need firewalling / blaclisting / fail2ban / VPN as additional measures. + of course public key auth instead of plain text passwords.
This was all over my mind, the attacker would def do reconnaissance before attacking (script-kiddies aside)
Easy fix against this protection: Use timeout in your bruteforce script, lmao
All those script kiddies would be very angry at this comment, if they could read.
@@WolfgangsChannel yeah, are we really sure the majority of these brute force scripts don't just use ConnectTimeout?
*in theory* provided there are enough servers running Endlessh, someone could do a "SSH amplification DDoS attack" as the script provides an amplification ratio greater than 1, similar concept to NTP amplification DDoS attacks...
Pinned comment
Great video 👍
Keep it up❤️
I feel like you are going to make a lot of people lock themselves out of their server since you didn't show how to change the actual ssh server port
Endlessh won't launch if the port 22 is already taken, no worries :)
That's a great tip and great analogy
Nice one! 😈 Thank you for sharing ❤️
TH-cam algorithm brought me here. GREAT video!!
I was holding my breath waiting for you to pronounce that Patreon name...
Great video tho, will definitely give it a shot just for fun
Nice, tnx a lot. Already configured that on my server ^^
Dude you are freaking awesome!
Really cool, thanks!
Thanks for the review of the usefull stuff. Do you know about existing of any analogs for the sip protocol?
Not really, you pretty much have to rely on fail2ban
@@WolfgangsChannel It's bad solution, cause smart scanners replaces some information in sip headers and you can't determine source IP addresses from asterisk log file. So I was forced to write my own scripts using ngrep. They are works well, but it deosn't interrupts bots.
this is amazing work
A lot of attackers don't just try the default port, they scan your ip and will see the other port as well.
However, having a banner some pages long on your regular login address would still slow a brute force/dict attack to a crawl and not be worth doing.
What a great solution! :D
Thanks!
Sounds similar to what we would put into a .plan or .project file back in the day on our Unix-like systems, when 9600 baud was “high speed”, so that when some user tried to use the finger command with your account, they would get this very lengthy animated plaintext message. Had to keep the stuff in a single line, and it used special characters, and the university banned such use of .plan and .project as a result of user complaints.
I love this program! endlessh.log file on my home server has grown to 33mb since July! I haven't done much analysis on it, but it seems to be mostly Chinese bots :) I'm not super happy with it running as root (although creator says it is ok), but was too lazy to do a iptables redirect yet.
You sir, have earned a subscriber ✌🏻👍🏻
1. If you are the only ones using SSH, lock it down to only IPs that you expect or ranges of IPs local to yours.
2. If you are running a shared host, this would never work. Customers would try the default port even if you instructed them which port is actually SSH.
Good info, thanks.
Thanks for the laugh @2:14.
Random question: what is the clip around 20 seconds from? The rotating space-ship thing in the middle looks familiar and I'm looking for a source-ier source.
th-cam.com/video/miIqasRAE80/w-d-xo.html
It reminded me of a PhoneJacker sketch (or may have just been one of the interstitials); the look to camera is beautiful.
Aha! joke's on you, for now I will use this information to reformulate my new evil master plan! it will be perfect next time!
_[laughs maniacally]_
Excellent idea!
cool man thanks. gona check it out.
Cheems is in the miniature, excellent service 10/10
Great video!
So funny! I wonder if you could throw tcp wrappers into the mix here; “permitted” IP ranges could get the actual sshd and everything else would land in endlessh
I stay with fail2ban, different user and 2fa. It's so good, that I even got myself banned (mixed up my servers).
When I saw the title, I remembered that I wanted to set up a honeypot for my website. I saw that there are some bots trying to get access on some common admin pages, that aren't present on my server. There I wanted to track the heck out of the bots and waste their time, until I ban them.
Bluehat: Forcing skiddies to stare at text banners to halt them in their tracks
Goldhat: Forcing skiddies to stare at BANNER ADS to pay you while they do it.
Platinumhat: Forcing skiddies to stare at Richard Stallman's interjection copypasta.
Hey there, Im new to programming as a thing and was just wondering if it would be possible to just pick some of the passwords from the popular password list and make it so that if those passwords are used the hacker gets in your server and gets displayed wrong data ( files and all ) .. just an idea
There's this: github.com/jaksi/sshesame
It does add some attack surface and unless you have nothing important on your server in the first place, I wouldn't do that.