SSH Honeypot in 4 Minutes - Trap Hackers in Your Server 

Please note that Endlessh is NOT meant to replace conventional SSH security methods. You should still set up public-key only authentication and 2FA, as well as tools like iptables, fail2ban and CrowdSec It's also not meant to protect you from nmap port scans or advanced attacks. Endlessh is a fun way to mess with automated SSH scanners, but that's it.

You should just have the banner be the bee movie script

You're video is straight to the point and doesn't waste my time to increase your channel view time. Thank you.

Love this! There's a simple docker package as well in the docker hub, so quick to deploy! Thanks for bringing this project to me! Such a simple and powerful tarpit!!!

I've been setting up a game server, and I am TOTALLY DOING THIS. Thank you so much for making this video! It never occurred to me to have a 'false front' ssh login, and making it a time sink is a brilliant approach.

I think in addition to changing your real SSH port, I would also say setting up the SSH server to only accept keys for login would be the next step

I need to know: how often do we have to open the server up to let the trapped hackers out? Did we need to increase fan speed, to make sure they don't suffocate? If the server is not water cooled, do we need to provide water (and FOOD) for them? And, lastly, what about sanitation?

Don't run it on a production server or u might end up with 20k simultaneous ssh connections

I honestly love mitigation techniques like this one; they are simple, effective, and feel a bit trolly ;)

This is the least efficient way of "protecting" an SSH server I have ever seen, but also the funniest without a doubt

This is such a fantastic channel. Very well produced. Thanks Wolfgang.

Thanks for sharing this is pretty cool. True someone can script a timeout but the thought of slowing down even for 15 seconds seem to be worth it.

moving your SSHD to another port is a good practice, however a simple nmap on your IP will reveal it. Real hacker's script usually does a kind of nmap to list possible vulnerabilities. Good video

Damn I actually love Wolfgang's desk setup so much

Amusing, but I would rather setup fail2ban, as your real ssh server can still be hammered. Or do both

this is awesome, i love the idea of just teaching people to stop doing shoot the hard way

Hacker: let's add a timeout to the script ...

I have a local server that's not previously exposed to the internet, but I installed this and forwarded port 22 on my router to this service just to trap some bots. Feels like I'm doing a tiny little something to keep the most basic bots busy at least. Great video! I subscribed!

Dude your content is great, so glad i'm subscribed, keep it up ! :)

Thanks for this video. Looks fun. I'll do it. Also, glad to see another fish user!

0:46 when you see your password you used on some older sites scroll through the word list....

As an addon I would recommend putting your real ssh port on a really high port number. Most hackers use default port scanning of the most common port and dont even scan port 5000+, so yeah :) free tip! :D

Cool! Never knew you could show a banner before getting into the server. thanks for the video :)

That cutaway to the “hacker” at the beginning cures my depression.

Who would win: 758 SLOC C program vs Single line addition to add timeout to brute force.

Or, you could setup Guacamole so you can ssh from there and setup endlessh for those trying to connect directly.

just found your channel and it's DOPE AF! instant subbed!

I really like this concept!

So, it's a tarpit. Brill. Also, just FYI, there's an official debian package in buster-backports. I have my real ssh on a very odd port AND hidden by fwknop, just for a bit of extra; key-only auth of course. But I am actually thinking about installing this...

scripts will just adapt to close the connection after 10 second timeout and try another port

That thumbnail is perfection 👌

I’m so glad I found your channel. I’m just on the back log of watching every video you have, haha. You’re very knowledgeable and I love the humour in your videos. I know this is an older video but I was wondering what is your profession in day to day life? Thanks again for the quality content.

1:29 XD Nice vid btw

The only flaw I can see is when the hackers sees the login attempts slow down to a crawl, they're going to know they're stuck in Endlessh and just exit out. Stick them into port 22, keep the speed at normal, but also make sure that even if they happen to get the right password, it fails and they keep on going. Like you say, they could waste months even though they hit the correct password ten hours after starting.

There have never been escalation vulnerabilities. This is 100 expert advice from a guy who knows his 1s and 0s!

I wish I knew what you were doing and how to even begin to try such a thing, but it is awesome!

holy crap. I just did "sudo lastb -a | more" on my vps and found hundreds of attempts made today!

Though I wonder if this could potentially introduce a new threat surface. Haven’t looked at the code yet though.

Brilliant. This is a video worth watching :) thanks.

Very good stuff. Thank you.

2/10 no actual bonk meme included

Wow a 5 minute video with 5 minutes of solid information. Not a 11 minute video with 2 minutes of eh information. You just earned yourself a sub and a spot on my whitelist, something very very few RU-vidrs get from me.

Great short video with good production, 👌

Superb video contains deep knowledge... Keep on going brother

It would be nice if you could set this up in a way where you could keep ssh on the default port, but only lock up their ssh session if they enter a password from the common default password list. So if you enter an incorrect password like soi3$%as1s, the authentication would just fail, but if you tried something in a predefined list like "hunter2" or "123456", it would lock up the session with the banner. Not sure if something like that would be possible.

fragile; propably the best description for a mac

this is amazing work

If one was sepecifically targeting you they would scan for open ports first and notice that there are two ssh services running. In that case it wouldn't be of much help. But to be honest, that is highly unlikely. Most of the time it will be a random attack and against that I really love this method.

Well this is relevant to me xD (wasnt using the normal port of cause but still got spammed with these) i just stop port forwarding ssh and just using OpenVPN to my house then ssh in.

I just moved my SSH server to a different port, have done so for a very long time, I'd rather people not know my computer is there at all. I have also recently set up wireguard VPN server and SSH in over that for some extra obscurity. But just moving ports is good enough, not seen anyone try to login but myself.

It's in the ubuntu focal repositories. Many thanks, great tip!

ill sub to this guy, for giving me ideas to literally mess up the hackers

Спасибо за подсказку :-)

I wonder how many bruteforce attackers it would take to generate any kind of measurable load on that machine if it only respods with 1 line every several seconds :D Very cool stuff - thanks for sharing!

RU-vid algorithm brought me here. GREAT video!!

That's a great tip and great analogy

silly question. Couldn't you just do an nmap scan and figure out the actual port is 69?

Now we need fail2endless!

Thanks My SFTP server has been getting a lot of unwanted attention. I moved the port to a high port number, and protected the connection with Fail2ban. Still lots of unwanted attention. Fail2ban worked but I was getting attacked by hackers who were changing their IP address after every attempt, Fail2ban was banning hundreds of IP addressed an hour. I tried your sticky honey trap created about 50 sticky ports with the real SFTP and SSH ports amongst them. So far no problems are being recorded in the logs - so thanks

Nice, tnx a lot. Already configured that on my server ^^

Strange, on the servers we are using when someone fails to fill in the right credentials within 5 minutes the IP is blocked...

4 dislikers are black hat hackers.

Sounds similar to what we would put into a .plan or .project file back in the day on our Unix-like systems, when 9600 baud was “high speed”, so that when some user tried to use the finger command with your account, they would get this very lengthy animated plaintext message. Had to keep the stuff in a single line, and it used special characters, and the university banned such use of .plan and .project as a result of user complaints.

That is a really good piece of software. Should definitely check this out!

I just looked at my auth logs and saw: rustserver steam alpine root

That's very cool, however if they find out that the sshd server is running on another port like 69 in your case using a port scan, they'd be able to attack it directly once again. So you need firewalling / blaclisting / fail2ban / VPN as additional measures. + of course public key auth instead of plain text passwords.

Great video 👍 Keep it up❤️

Nice one! 😈 Thank you for sharing ❤️

You scan for open Ports. So even If your SSH ist running on a different Port IT wont be hard to find IT. I would personally Just diactivate IT If you are running your Server at Home

2:15 я сейчас буду сканить все порты

I was holding my breath waiting for you to pronounce that Patreon name... Great video tho, will definitely give it a shot just for fun

*in theory* provided there are enough servers running Endlessh, someone could do a "SSH amplification DDoS attack" as the script provides an amplification ratio greater than 1, similar concept to NTP amplification DDoS attacks...

I feel like you are going to make a lot of people lock themselves out of their server since you didn't show how to change the actual ssh server port

Easy fix against this protection: Use timeout in your bruteforce script, lmao

Good job! Great work.

Dude you are freaking awesome!

back on early 00's i was part of a community that ran on a telnet/mud chat server. we were never too much of elitist jerks but people got banned every now and then. and at some point someone who got banned got pissed off and spread address of it all around the internet, then we got flooded with people trying brute force attacks, come in to troll or never said an word for days doing god knows what. at some point the owner had enough and did this thing where all those people would be funneled to a fake chatroom where few days of chat log would replay in a loop plus it would randomly grab a username from them and make up random messages like "hi ", "i agree", "ok", "should we change subjects?" and so. it was painfully effective, people would only realize something was wrong after they saw chat repeating since we only had something like 2 days of logs. eventually random people got caught into it and everyone felt really bad for making some poor random talk to a walk for days and turned the whole thing off

Thanks for the laugh @2:14.

back in the early 90`s I had a remote login attempt, traced the ip, it was a school with a known address and ip, called them, spoke to the principal, they were baffeled and did not know what I was talking about. "There are some kids in your computer room trying to login into other servers". Funny stuff back then.

A lot of attackers don't just try the default port, they scan your ip and will see the other port as well. However, having a banner some pages long on your regular login address would still slow a brute force/dict attack to a crawl and not be worth doing.

Cheems is in the miniature, excellent service 10/10

If you're doing anything automated with ssh you really don't want to let the client timeout by itself, it'll take forever (or, in this case, never do so). Adding something like this *_-o ConnectTimeout=3_* to your client arguments should usually be enough, but in some cases (e.g. remote automated tunnels over very unreliable connections) it could still hang for a long time. So, just to use the above and a wrapper that kill ssh if it hangs to much. Or write your own client. I don't think many will fall in such a tarpit. Not even many script kiddies as the scripts they downloaded, without understanding, will likely take care of such a scenario for them.

You sir, have earned a subscriber ✌🏻👍🏻

I deployed this on my server the other day (I already had SSH on a different port than default and set up public key login only) and I’ve already had countless bots attempt to SSH in. Some got stuck for over 20 minutes. There’s been bots from Russia, China, Peru, the UK, South Korea, all over the damn place. Pretty cool knowing that not only am I doing my part to waste these assholes’ time, but I’m also better protecting my server. I’m willing to bet that with a number of these bots, after they get trapped in the tarpit they probably blacklist your server’s IP so they don’t waste their time again.

Really cool, thanks!

I love this program! endlessh.log file on my home server has grown to 33mb since July! I haven't done much analysis on it, but it seems to be mostly Chinese bots :) I'm not super happy with it running as root (although creator says it is ok), but was too lazy to do a iptables redirect yet.

What a great solution! :D Thanks!

Reverse slow loris in a way... I love it.

cool man thanks. gona check it out.

Good info, thanks.

Thank you for the infomation, question: have you tried to install a honeyspot? to see what these bots do after logging in

Ah yes, the slow loris in reverse, great idea!

Pretty silly and niche use case but i enjoyed the video :D

So funny! I wonder if you could throw tcp wrappers into the mix here; “permitted” IP ranges could get the actual sshd and everything else would land in endlessh

Excellent idea!

That terminal is beautiful lol.

not bad. Thats something that I just learned.

That’s such an easy thing to go around, that I don’t think it even matters

It is a start but i would suggest hardening any other services on the machine too. While ssh bruteforces are common, people target pretty much everything, especially webapps and related services.

This is most epic name WOLFGANG