Please note that Endlessh is NOT meant to replace conventional SSH security methods. You should still set up public-key only authentication and 2FA, as well as tools like iptables, fail2ban and CrowdSec It's also not meant to protect you from nmap port scans or advanced attacks. Endlessh is a fun way to mess with automated SSH scanners, but that's it.

You should just have the banner be the bee movie script

You're video is straight to the point and doesn't waste my time to increase your channel view time. Thank you.

I need to know: how often do we have to open the server up to let the trapped hackers out? Did we need to increase fan speed, to make sure they don't suffocate? If the server is not water cooled, do we need to provide water (and FOOD) for them? And, lastly, what about sanitation?

Love this! There's a simple docker package as well in the docker hub, so quick to deploy! Thanks for bringing this project to me! Such a simple and powerful tarpit!!!

I've been setting up a game server, and I am TOTALLY DOING THIS. Thank you so much for making this video! It never occurred to me to have a 'false front' ssh login, and making it a time sink is a brilliant approach.

This is such a fantastic channel. Very well produced. Thanks Wolfgang.

Thanks for sharing this is pretty cool. True someone can script a timeout but the thought of slowing down even for 15 seconds seem to be worth it.

moving your SSHD to another port is a good practice, however a simple nmap on your IP will reveal it. Real hacker's script usually does a kind of nmap to list possible vulnerabilities. Good video

I think in addition to changing your real SSH port, I would also say setting up the SSH server to only accept keys for login would be the next step

I honestly love mitigation techniques like this one; they are simple, effective, and feel a bit trolly ;)

Don't run it on a production server or u might end up with 20k simultaneous ssh connections

Damn I actually love Wolfgang's desk setup so much

This is the least efficient way of "protecting" an SSH server I have ever seen, but also the funniest without a doubt

I’m so glad I found your channel. I’m just on the back log of watching every video you have, haha. You’re very knowledgeable and I love the humour in your videos. I know this is an older video but I was wondering what is your profession in day to day life? Thanks again for the quality content.

Cool! Never knew you could show a banner before getting into the server. thanks for the video :)

As an addon I would recommend putting your real ssh port on a really high port number. Most hackers use default port scanning of the most common port and dont even scan port 5000+, so yeah :) free tip! :D

Hacker: let's add a timeout to the script ...

Dude your content is great, so glad i'm subscribed, keep it up ! :)

this is awesome, i love the idea of just teaching people to stop doing shoot the hard way

Amusing, but I would rather setup fail2ban, as your real ssh server can still be hammered. Or do both

I have a local server that's not previously exposed to the internet, but I installed this and forwarded port 22 on my router to this service just to trap some bots. Feels like I'm doing a tiny little something to keep the most basic bots busy at least. Great video! I subscribed!

Thanks for this video. Looks fun. I'll do it. Also, glad to see another fish user!

just found your channel and it's DOPE AF! instant subbed!

0:46 when you see your password you used on some older sites scroll through the word list....

So, it's a tarpit. Brill. Also, just FYI, there's an official debian package in buster-backports. I have my real ssh on a very odd port AND hidden by fwknop, just for a bit of extra; key-only auth of course. But I am actually thinking about installing this...

Thanks My SFTP server has been getting a lot of unwanted attention. I moved the port to a high port number, and protected the connection with Fail2ban. Still lots of unwanted attention. Fail2ban worked but I was getting attacked by hackers who were changing their IP address after every attempt, Fail2ban was banning hundreds of IP addressed an hour. I tried your sticky honey trap created about 50 sticky ports with the real SFTP and SSH ports amongst them. So far no problems are being recorded in the logs - so thanks

That thumbnail is perfection 👌

Who would win: 758 SLOC C program vs Single line addition to add timeout to brute force.

1:29 XD Nice vid btw

That cutaway to the “hacker” at the beginning cures my depression.

I wish I knew what you were doing and how to even begin to try such a thing, but it is awesome!

scripts will just adapt to close the connection after 10 second timeout and try another port

Or, you could setup Guacamole so you can ssh from there and setup endlessh for those trying to connect directly.

I really like this concept!

Great short video with good production, 👌

Though I wonder if this could potentially introduce a new threat surface. Haven’t looked at the code yet though.

holy crap. I just did "sudo lastb -a | more" on my vps and found hundreds of attempts made today!

Great video 👍 Keep it up❤️

Superb video contains deep knowledge... Keep on going brother

The only flaw I can see is when the hackers sees the login attempts slow down to a crawl, they're going to know they're stuck in Endlessh and just exit out. Stick them into port 22, keep the speed at normal, but also make sure that even if they happen to get the right password, it fails and they keep on going. Like you say, they could waste months even though they hit the correct password ten hours after starting.

Wow a 5 minute video with 5 minutes of solid information. Not a 11 minute video with 2 minutes of eh information. You just earned yourself a sub and a spot on my whitelist, something very very few KZbinrs get from me.

Good job! Great work.

Brilliant. This is a video worth watching :) thanks.

fragile; propably the best description for a mac

Well this is relevant to me xD (wasnt using the normal port of cause but still got spammed with these) i just stop port forwarding ssh and just using OpenVPN to my house then ssh in.

Very good stuff. Thank you.

back on early 00's i was part of a community that ran on a telnet/mud chat server. we were never too much of elitist jerks but people got banned every now and then. and at some point someone who got banned got pissed off and spread address of it all around the internet, then we got flooded with people trying brute force attacks, come in to troll or never said an word for days doing god knows what. at some point the owner had enough and did this thing where all those people would be funneled to a fake chatroom where few days of chat log would replay in a loop plus it would randomly grab a username from them and make up random messages like "hi ", "i agree", "ok", "should we change subjects?" and so. it was painfully effective, people would only realize something was wrong after they saw chat repeating since we only had something like 2 days of logs. eventually random people got caught into it and everyone felt really bad for making some poor random talk to a walk for days and turned the whole thing off

4 dislikers are black hat hackers.

It would be nice if you could set this up in a way where you could keep ssh on the default port, but only lock up their ssh session if they enter a password from the common default password list. So if you enter an incorrect password like soi3$%as1s, the authentication would just fail, but if you tried something in a predefined list like "hunter2" or "123456", it would lock up the session with the banner. Not sure if something like that would be possible.

Nice one! 😈 Thank you for sharing ❤️

There have never been escalation vulnerabilities. This is 100 expert advice from a guy who knows his 1s and 0s!

I just moved my SSH server to a different port, have done so for a very long time, I'd rather people not know my computer is there at all. I have also recently set up wireguard VPN server and SSH in over that for some extra obscurity. But just moving ports is good enough, not seen anyone try to login but myself.

I wonder how many bruteforce attackers it would take to generate any kind of measurable load on that machine if it only respods with 1 line every several seconds :D Very cool stuff - thanks for sharing!

That's a great tip and great analogy

That is a really good piece of software. Should definitely check this out!

2/10 no actual bonk meme included

Now we need fail2endless!

Dude you are freaking awesome!

ill sub to this guy, for giving me ideas to literally mess up the hackers

Спасибо за подсказку :-)

Strange, on the servers we are using when someone fails to fill in the right credentials within 5 minutes the IP is blocked...

If one was sepecifically targeting you they would scan for open ports first and notice that there are two ssh services running. In that case it wouldn't be of much help. But to be honest, that is highly unlikely. Most of the time it will be a random attack and against that I really love this method.

Sounds similar to what we would put into a .plan or .project file back in the day on our Unix-like systems, when 9600 baud was “high speed”, so that when some user tried to use the finger command with your account, they would get this very lengthy animated plaintext message. Had to keep the stuff in a single line, and it used special characters, and the university banned such use of .plan and .project as a result of user complaints.

silly question. Couldn't you just do an nmap scan and figure out the actual port is 69?

2:15 я сейчас буду сканить все порты

this is amazing work

It's in the ubuntu focal repositories. Many thanks, great tip!

You scan for open Ports. So even If your SSH ist running on a different Port IT wont be hard to find IT. I would personally Just diactivate IT If you are running your Server at Home

I just looked at my auth logs and saw: rustserver steam alpine root

I was holding my breath waiting for you to pronounce that Patreon name... Great video tho, will definitely give it a shot just for fun

If you're doing anything automated with ssh you really don't want to let the client timeout by itself, it'll take forever (or, in this case, never do so). Adding something like this *_-o ConnectTimeout=3_* to your client arguments should usually be enough, but in some cases (e.g. remote automated tunnels over very unreliable connections) it could still hang for a long time. So, just to use the above and a wrapper that kill ssh if it hangs to much. Or write your own client. I don't think many will fall in such a tarpit. Not even many script kiddies as the scripts they downloaded, without understanding, will likely take care of such a scenario for them.

That's very cool, however if they find out that the sshd server is running on another port like 69 in your case using a port scan, they'd be able to attack it directly once again. So you need firewalling / blaclisting / fail2ban / VPN as additional measures. + of course public key auth instead of plain text passwords.

I feel like you are going to make a lot of people lock themselves out of their server since you didn't show how to change the actual ssh server port

I deployed this on my server the other day (I already had SSH on a different port than default and set up public key login only) and I’ve already had countless bots attempt to SSH in. Some got stuck for over 20 minutes. There’s been bots from Russia, China, Peru, the UK, South Korea, all over the damn place. Pretty cool knowing that not only am I doing my part to waste these assholes’ time, but I’m also better protecting my server. I’m willing to bet that with a number of these bots, after they get trapped in the tarpit they probably blacklist your server’s IP so they don’t waste their time again.

Nice, tnx a lot. Already configured that on my server ^^

Easy fix against this protection: Use timeout in your bruteforce script, lmao

back in the early 90`s I had a remote login attempt, traced the ip, it was a school with a known address and ip, called them, spoke to the principal, they were baffeled and did not know what I was talking about. "There are some kids in your computer room trying to login into other servers". Funny stuff back then.

KZbin algorithm brought me here. GREAT video!!

*in theory* provided there are enough servers running Endlessh, someone could do a "SSH amplification DDoS attack" as the script provides an amplification ratio greater than 1, similar concept to NTP amplification DDoS attacks...

I love this program! endlessh.log file on my home server has grown to 33mb since July! I haven't done much analysis on it, but it seems to be mostly Chinese bots :) I'm not super happy with it running as root (although creator says it is ok), but was too lazy to do a iptables redirect yet.

Really cool, thanks!

Thanks for the laugh @2:14.

You sir, have earned a subscriber ✌🏻👍🏻

Good info, thanks.

Thank you for the infomation, question: have you tried to install a honeyspot? to see what these bots do after logging in

What a great solution! :D Thanks!

A lot of attackers don't just try the default port, they scan your ip and will see the other port as well. However, having a banner some pages long on your regular login address would still slow a brute force/dict attack to a crawl and not be worth doing.

Pretty silly and niche use case but i enjoyed the video :D

So funny! I wonder if you could throw tcp wrappers into the mix here; “permitted” IP ranges could get the actual sshd and everything else would land in endlessh

Cheems is in the miniature, excellent service 10/10

cool man thanks. gona check it out.

Excellent idea!

Great video!

I discovered your channel, I'm a student in France, thanks for your videos :) also I prefer using fail2ban tho

Nice internet survival stuff. Keep up fellow black hat.

Aha! joke's on you, for now I will use this information to reformulate my new evil master plan! it will be perfect next time! _[laughs maniacally]_

Reverse slow loris in a way... I love it.

Thanks for the review of the usefull stuff. Do you know about existing of any analogs for the sip protocol?

Thanks for this video Bro. I've been seeing email daily for over 300 hacker attempts. Now that endlessh is running on my server, I'm curious to see what the number daily will be.