tarssh

A simple SSH tarpit, similar to endlessh.

txt The server MAY send other lines of data before sending the version string. Each line SHOULD be terminated by a Carriage Return and Line Feed. Such lines MUST NOT begin with "SSH-", and SHOULD be encoded in ISO-10646 UTF-8 [RFC3629] (language is not specified). Clients MUST be able to process such lines.

In other words, you can fool SSH clients into waiting an extremely long time for a SSH handshake to even begin simply by waffling on endlessly. My high score is just over a week.

The intent of this is to increase the cost of mass SSH scanning - even clients that immediately disconnect after the first response are delayed a little, and that's one less free connection for the next attack.

Usage

```console -% cargo build --release -% target/release/tarssh --help tarssh 0.2.0 Thomas Hurst tom@hur.st A SSH tarpit server

USAGE: tarssh [FLAGS] [OPTIONS]

FLAGS: --disable-timestamps Disable timestamps in logs -h, --help Prints help information -V, --version Prints version information -v, --verbose Verbose level (repeat for more verbosity)

OPTIONS: --chroot Chroot to this directory -d, --delay Seconds between responses [default: 10] -g, --group Run as this group -l, --listen ... Listen address(es) to bind to [default: 0.0.0.0:2222] -c, --max-clients Best-effort connection limit [default: 4096] --threads Thread count [default: CPU count] -t, --timeout Socket write timeout [default: 30] -u, --user Run as this user and their primary group

-% target/release/tarssh -v --disable-timestamps -l 0.0.0.0:2222 [::]:2222 [INFO tarssh] listen, addr: 0.0.0.0:2222 [INFO tarssh] privdrop, enabled: false [INFO tarssh] sandbox, enabled: true [INFO tarssh] start, servers: 2, max_clients: 4096, delay: 10s, timeout: 30s [INFO tarssh] connect, peer: 127.0.0.1:30980, clients: 1 [INFO tarssh] connect, peer: 127.0.0.1:30983, clients: 2 [INFO tarssh] disconnect, peer: 127.0.0.1:30980, duration: 30.00s, error: "broken pipe", clients: 1 [INFO tarssh] disconnect, peer: 127.0.0.1:30983, duration: 40.02s, error: "broken pipe", clients: 0 ^C[INFO tarssh] interrupt [INFO tarssh] shutdown, uptime: 50.85s, clients: 0 ```

A Docker image is available as freeky/tarssh:

console -% sudo docker run --network=host freeky/tarssh Unable to find image 'freeky/tarssh:latest' locally latest: Pulling from freeky/tarssh 27833a3ba0a5: Pull complete 1fbf3b23257c: Pull complete 30379a92040a: Pull complete Digest: sha256:a1eccb7dd694753e0d6ea682f5feed2e17dcfc88d817714502b518c381b94298 Status: Downloaded newer image for freeky/tarssh:latest [2019-04-10T23:02:57Z INFO tarssh] listen, addr: 0.0.0.0:22 [2019-04-10T23:02:57Z INFO tarssh] privdrop, chroot: /var/empty [2019-04-10T23:02:57Z INFO tarssh] privdrop, user: nobody [2019-04-10T23:02:57Z INFO tarssh] privdrop, enabled: true [2019-04-10T23:02:57Z INFO tarssh] start, servers: 1, max_clients: 4096, delay: 10s, timeout: 30s