~skeeto/public-inbox

1

Re: Endlessh: an SSH Tarpit

Tim Chase
Details
Message ID
<20200227225152.49a61a6e@bigbox.attlocal.net>
DKIM signature
missing
Download raw message
Is my understanding correct that endlessh only listens on the
external IP address, not on the local IP address?  If I try

  mylocalmachine$ telnet -4 myvps 2000

endlessh works as expected.  But if I SSH into my VPS machine and try

  myvps$ telnet 127.0.0.1 2000

the connection times out. Same for "-6" and "::1" for IPv6.

(feel free to stop reading here and ignore the rest if you're not
curious why I'd want to do a dumb thing like serve endlessh to
localhost)

Thanks!

-tim / @gumnos

gory details:

I know it seems a dumb thing to serve endlessh to localhost, but I
encountered an issue FreeBSD's pf(4)'s divert-to only talks to
localhost.  I've set up a whole range of ports on either side of
my real SSH port to make it more annoying to find the real one unless
you actually know the reall port#.  However at least on FreeBSD a
divert-to seems to only talk to 127.0.0.1 or ::1 rather than talking
on the external IP address.  I tried

 endlessh_port=2000
 real_ssh=2345
 ext_ip=192.168.1.32

 pass in log inet proto tcp from any to any port $endlessh_port
 pass in log inet proto tcp from any to any port 2001:2344 \
   divert-to $ext_ip port $endlessh_port
 pass in log inet proto tcp from any to any port 2346:2999 \
   divert-to $ext_ip port $endlessh_port

(with similar pairs for inet6)  When loading, pf seems to ignore the
"ext_ip" bit and just use 127.0.0.1 instead.

I've worked around it by doing a "rdr" in pf to redirect the whole
swath of ports but my understanding is that divert-to should be more
resource-friendly.  In case you want to follow along, the pf.conf
that work (possibly removing the back-slashes):

 rdr pass on $if_external inet proto tcp \
   from any to any port 2001:2344 -> \
   $ip4_external port $endlessh_port

 rdr pass on $if_external inet proto tcp \
   from any to any port 2346:2999 -> \
   $ip4_external port $endlessh_port

Re: Endlessh: an SSH Tarpit

Details
Message ID
<20200228135259.dodz46wussfbbx4k@nullprogram.com>
In-Reply-To
<20200227225152.49a61a6e@bigbox.attlocal.net> (view parent)
DKIM signature
missing
Download raw message
It *should* be binding to all available interfaces. In the source you 
can see it uses INADDR_ANY or in6addr_any. This is currently not 
configurable, meaning you haven't accidentally changed it. Testing now 
on both Debian and FreeBSD, I can connect to Endlessh via localhost 
using telnet just as you showed. Perhaps you have a local system 
configuration that's causing an issue?

Your requirement to have the service available on localhost makes sense, 
and I'd expect Endlessh to support it.