Attack Surface Disinformation
Look at any server log file for externally facing management services; you will find thousands of failed login attempts and scans. Bots attempt to brute-force a login to services like SSH and Remote Desktop(RDP) all day long. These management services should be behind a VPN firewall, especially RDP. On top of removing management services from being directly on the Internet, we can also put up fake services that look like the real ones. Why put up fake services? To slow down an attacker and give incorrect information about the environment.
To disrupt Bots we can deploy a defensive strategy called Tarpits. A Tarpit is a server or service that purposely delays incoming connections to slow scans and make them less attractive. The goal is to waste the Bots or an attacker’s time.
There is a good SSH Tarpit I found on GitHub. It is simple to install and use. Below is the process I recommend to have a full-time SSH tarpit deployed.
Recommended Deployment
- Spin up a new VM or container. 1x CPU, 512MB RAM, 8GB Disk.
- Install Debian latest(10)
- Set up the firewall to port forward WAN port 22 to the new VMs port 2222(SSH Tarpit)
Installation Script
apt update && apt dist-upgrade && apt install build-essential git
cd ~/
# Clone the Git repository
git clone https://github.com/skeeto/endlessh.git
cd endlessh/
make
mv ./endlessh /usr/local/bin/
# Add a user to run Endlessh as.
adduser --shell /bin/false --disabled-login --no-create-home --disabled-password --gecos "" tarpit
# Add etc folder
mkdir /etc/endlessh
# Make the config file
echo 'Port 2222
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 0
BindFamily 4' > /etc/endlessh/sshtarpit.config
# Add service config file
echo '# Contents of /etc/systemd/system/endlessh.service
[Unit]
Description=Endlessh
After=network.target
[Service]
Type=simple
Restart=always
User=tarpit
Group=tarpit
ExecStart=/usr/local/bin/endlessh -f /etc/endlessh/sshtarpit.config
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/endlessh.service
systemctl daemon-reload
systemctl enable endlessh.service
systemctl start endlessh.service
After I stood up my SSH Tarpit it took less than a minute to start getting hits.
Tarpits are fun tools for Security Defenders. However, security through obscurity does not work. Tarpits alone cannot protect your network; it’s just a fun add-on to slow down dumb bots. In my view, any disruption to an adversary is a win.