[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#39136] [PATCH 2/2] services: containerized endlessh
|
From: |
Joshua Branson |
|
Subject: |
[bug#39136] [PATCH 2/2] services: containerized endlessh |
|
Date: |
Mon, 15 Mar 2021 12:29:49 -0400 |
doc: endlessh service documentation.
* doc/guix.texi (Networking Services): New endlessh-service-type section.
services: containerized endlessh
* gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
make-forkexec-constructor/container. and attempted to enable logging to syslog.
(define-record-type* <endlessh-configuration>)
move default values of endlessh configuration to separate line.
Add copyright line for Nicolo.
---
doc/guix.texi | 60 ++++++++++++++++++++++++++++++++++++++++++++
gnu/services/ssh.scm | 35 ++++++++++++++++++--------
2 files changed, 85 insertions(+), 10 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 464c1141d8..38807b3069 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17081,6 +17081,66 @@ may cause undefined behaviour.
@end table
@end deftp
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} program that delays ssh clients for days at a time by
+@emph{very slowly} sending a random and endless SSH banner. The smart
+hacker will put endlessh running on port 22, and let crackers get stuck
+in this tarpit. This lets your real ssh server run more securely on a
+non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+ (endlessh-configuration
+ (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections. Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item 0 = Quiet
+@item 1 = Standard, useful log messages
+@item 2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
@cindex WebSSH
@deffn {Scheme Variable} webssh-service-type
This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index aad9bbc754..838655cf2c 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -6,6 +6,8 @@
;;; Copyright ?? 2019 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright ?? 2020 pinoaffe <pinoaffe@airmail.cc>
;;; Copyright ?? 2020 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright ?? 2020 Nicol?? Balzarotti <nicolo@nixo.xyz>
+;;; Copyright @ 2021 Joshua Branson <jbranso@dismail.de>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -752,19 +754,25 @@ object."
endlessh-configuration make-endlessh-configuration
endlessh-configuration?
;; list of two symbols, allowed values are ipv4, ipv6 or both
- (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+ (bind-family endlessh-configuration-bind-family
+ (default '(ipv4 ipv6)))
;; integer
- (delay endlessh-configuration-delay (default 10000))
+ (delay endlessh-configuration-delay
+ (default 10000))
;; integer
;; Must be in the range
- (length endlessh-configuration-length (default 32))
+ (length endlessh-configuration-length
+ (default 32))
;; integer
- (max-clients endlessh-configuration-max-clients (default 4096))
+ (max-clients endlessh-configuration-max-clients
+ (default 4096))
;; integer
- (port-number endlessh-configuration-port-number (default 2222))
+ (port-number endlessh-configuration-port-number
+ (default 2222))
;; integer
;; Allowed values are 0, 1 and 2
- (log-level endlessh-configuration-log-level (default 0)))
+ (log-level endlessh-configuration-log-level
+ (default 0)))
(define (endlessh-config->conf config)
"Convert the CONFIG of type <endlessh-config> to a config file."
@@ -797,15 +805,22 @@ object."
(shepherd-service
(documentation "Run endlessh tarpit server.")
(provision '(endlessh))
- (start #~(make-forkexec-constructor
- (list #$(file-append endlessh "/bin/endlessh")
- "-f" #$(endlessh-config->conf config))))
+ (start #~(make-forkexec-constructor/container
+ `(list #$(file-append endlessh "/bin/endlessh")
+ ,(if (positive? (endlessh-configuration-log-level config))
+ "-s"
+ "")
+ "-f" #$(endlessh-config->conf config))))
(stop #~(make-kill-destructor))))
(define endlessh-service-type
(service-type
(name 'endlessh)
- (description "Run endlessh tarpit server.")
+ (description "Endlessh is an SSH tarpit that very slowly sends an endless,
+random SSH banner. It keeps SSH clients locked up for hours or even days at a
+time. The purpose is to put your real SSH server on another port and then let
+the script kiddies get stuck in this tarpit instead of bothering a real
+server.")
(extensions
(list (service-extension shepherd-root-service-type
(compose list endlessh-shepherd-service))))
--
2.30.0