Endlessh (Endless-SSH)

 A simple way to defend against SSH brute-force attacks

The Internet is not a secure place from its beginning and also the internet is not designed with built-in security either. Both internet users and services are vulnerable to attacks. It is open for everyone to explore things without any limits.

Users who use the internet could have different intentions depending on their beliefs. Many of the users’ intent is to gather publicly available information. However, some users have different intents than accessing publicly available data, some will want to steal information that is not publicly available; by gaining access to restricted network service, another will want to stop others accessing network services to get a competitive advantage or take ransoms from service providers. Different techniques can be used to interrupt public-facing services, few of them are getting access using passwords, brute-forcing, DDoSing systems, sending malware to services, and likewise.

Brute-forcing using credentials to gain access is a very common event that any service faces daily. There are a lot of tools and resources freely available to conduct this type of attack. Therefore, it is very common to see threat actors trying to gain access by brute-forcing service. In many cases, these brute-force attacks are conducted by using bots configured by threat actors.

The La Brea Tar Pits

Endlessh is an implementation of the Tarpit concept. Tarpit is a security concept that tries to delay network connectivity purposely. The word tarpit is created as a combination of two words Tar Pit, Tar Pit is a geographical feature where petroleum leaks to the surface, mixed with dust, water and creates a pool where animals get stuck and slowly sink into the pool. In networking, the Tarpit concept has a similar meaning. Where the threat actors get stuck within the connection for a long period wasting their computer resources and time. Actors could get stuck for hours, days, or even weeks if they are not manually aborted from the connection. Various Tarpit-related use cases can be found when implementing defense mechanisms against worms, spams, and network abuses. Under network abuse, this mechanism is best against attackers who try to brute-force your systems. 

Endlessh uses SSH banner to send a never-ending string to the client through the established connection. The idea is to put a real SSH server on a different port other than the default one and place the Endless SSH listening on the request coming on the default SSH port (port 22). 

When a client tries to SSH to a server, the client tries to authenticate against the server. Before an authentication client and server establish a TCP connection. After establishing both the client and the server sends their identification string. Identification string includes SSH protocol version, software version, and comments. The server can send “other lines” of data before sending the identification string. There is no limit for sending additional strings and these additional lines should not start with SSH-, encoded in UTF-8 and should be less than 255 characters. A client who receives these lines either can display them in the console or they can ignore them but the client cannot further proceed with authentication without receiving the server’s identification string. According to RFC 4253, this feature is designed to allow TCP-wrappers to display an error message before disconnecting.

Structure of the identification string: SSH-protoversion-softwareversion SP <comments> CR LF
The Endlessh uses this feature to put clients in endless waiting by sending random lines of strings. Because this other line of data is generated before authentication, there are very less computational resources used by the server. 

References

  • Endlessh: an SSH Tarpit https://nullprogram.com/blog/2019/03/22/ 
  • SSH Honeypot in 4 Minutes - Trap Hackers in Your Server https://www.youtube.com/watch?v=SKhKNUo6rJU&t=194s
  • What Is an SSH Server? https://www.ssh.com/ssh/server
  • Best Practices for Securing SSH: What Are Your SSH Security Risks? https://www.venafi.com/blog/best-practices-ssh-key-management-what-are-your-ssh-security-risks
  • RFC 4253: https://tools.ietf.org/html/rfc4253#section-4.2
  • Endlessh: https://github.com/skeeto/endlessh

Comments

Post a Comment

Popular posts from this blog

How Cloud Resiliency organized in Microsoft Azure

Image
Disaster avoidance and Disaster recovery are two concepts used in many industrial areas. The two terms look alike but they are somewhat different based on the situation that we use them in. Sometimes disaster avoidance is also called resiliency. In information technology, these two terms are mainly used in system engineering and system designing areas. So, what is meant by terms resiliency and recoverability? Resiliency expresses the ability to operate services even in a disruptive system event. Recovery means actions needed to perform to make a system work again when a disruption causes a system to fail. For example, resiliency is like building structures to stay stable in an earthquake situation, on the other hand, recoverability means if some disaster happens to the structure how we are going to correct that damage. So, now as we know the meaning of the two terms, let’s move to our main topic, How Cloud Resiliency is organized in Microsoft Azure. Cloud consists of a larger number of...
Read more

Network Traffic Identification and Classification with Machine Learning

Image
A computer network should consist of four primary objectives: Fault tolerance, Scalability, Security, and Quality of Service (QoS). These objectives make computer networks efficient, reliable, and suitable to satisfy users' requirements. Network administrators try to continuously improve these properties to give a better experience for their customers. There are various practices network admins can implement to achieve these four main objectives related to computer networking. Knowing about the network is one of the initial and basic activities that we can commonly see in those practices. Network monitoring is the process we use to get to know about the network. Network traffic monitoring plays a significant part in computer networking. It has been used from network resources management to network security-related activities.  Network monitoring is an umbrella term that is used to combine a few other processes/techniques. Network traffic identification and classification (TIC) is a...
Read more

MalLocker.B

Image
New  Malware Affecting A ndroid Users. Malware has been there for a very long time from the beginning of computer systems. Any computer system could be a target for a malware attack. The common intention of any malware is to cause damage to computer systems. Before the era of smart devices, malware was mainly designed to attack servers, personal computers, and likewise. However, with the rapid increase of smart devices, malware attack surfaces grew rapidly. Smart devices became a comparably easy target for threat actors because of the extensive user base, less knowledge of users about the device, users trying to add various applications without checking their background, along with many other reasons. These reasons enable attackers to quickly and easily spread malware to smart devices. Ransomware is one type of malware that causes huge losses for both business and personal computer systems in current times. This type of malware holds the computer system in a captive state until t...
Read more