GNU bug report logs - #39136
[PATCH] gnu: services: Add endlessh.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 39136 in the body.
You can then email your comments to 39136 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: anothersms <at> gmail.com (Nicolò Balzarotti)
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: services: Add endlessh.
Date: Tue, 14 Jan 2020 22:21:29 +0100

[Message part 1 (text/plain, inline)]

Hello guix!

This is my first service :) I know I still miss documentation and tests,
but before diving into it I wanted a general feedback on it (so that if
we decide to change something I don't have to adjust the docs and the
tests twice).

Endlessh is already in the repo, but for those who don't know: it's a
fake ssh server; it should be used to prevent bruteforce attacks and the
like by "freezing" the connection on the standard port (while the real
ssh server is on another non-standard port).  So, I don't know if as
default port should be 22 or, as it is now, 2222 (program's default).

My second doubt is regarding the place; it's an ssh server, but its main
purpose is for security? Maybe should go under admin.scm? I'm not sure

Last thing: bind-family as a list of allowed values is a suggetion from
IRC @leoprikler. Thanks for your help there!

Waiting for your feedback,

Nicolò

[0001-gnu-services-Add-endlessh.patch (text/x-patch, attachment)]

Message #8 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: anothersms <at> gmail.com (Nicolò Balzarotti)
Cc: 39136 <at> debbugs.gnu.org
Subject: Re: [bug#39136] [PATCH] gnu: services: Add endlessh.
Date: Sat, 25 Jul 2020 23:08:44 +0300

[Message part 1 (text/plain, inline)]

Hi,

That patch was forgotten for some reason, but we still have a succeeded
to build ‘endlessh’ package which missing a service!  :-)

anothersms <at> gmail.com (Nicolò Balzarotti) writes:

> This is my first service :) I know I still miss documentation and tests,
> but before diving into it I wanted a general feedback on it (so that if
> we decide to change something I don't have to adjust the docs and the
> tests twice).

Tests are appreciated ;-)

> Endlessh is already in the repo, but for those who don't know: it's a
> fake ssh server; it should be used to prevent bruteforce attacks and the
> like by "freezing" the connection on the standard port (while the real
> ssh server is on another non-standard port).  So, I don't know if as
> default port should be 22 or, as it is now, 2222 (program's default).

2222 is OK.  But we need this be documented in ‘doc/guix.texi’.  Could
you take a look on this, please?

> My second doubt is regarding the place; it's an ssh server, but its main
> purpose is for security? Maybe should go under admin.scm? I'm not sure

I think gnu/services/ssh.scm is good.

[…]

> +(define-record-type* <endlessh-configuration>
> +  endlessh-configuration make-endlessh-configuration
> +  endlessh-configuration?
> +  ;; list of two symbols, allowed values are ipv4, ipv6 or both
> +  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))

Please, move ‘(default …)’ things on a separate line.

[…]

Otherwise LGTM.  Could you send an update with a documented service?

Thanks,
Oleg.

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: 39136 <at> debbugs.gnu.org
Cc: Nicolò Balzarotti <nicolo <at> nixo.xyz>
Subject: [PATCH 1/2] services: Add endlessh service.
Date: Mon, 15 Mar 2021 12:29:48 -0400

From: Nicolò Balzarotti <nicolo <at> nixo.xyz>

* gnu/services/ssh.scm: Add endlessh service
(<endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.
---
 gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 1891db0487..aad9bbc754 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -54,6 +54,10 @@
             autossh-configuration?
             autossh-service-type
 
+            endlessh-configuration
+            endlessh-configuration?
+            endlessh-service-type
+
             webssh-configuration
             webssh-configuration?
             webssh-service-type
@@ -739,6 +743,75 @@ object."
                              autossh-service-activation)))
    (default-value (autossh-configuration))))
 
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+  endlessh-configuration make-endlessh-configuration
+  endlessh-configuration?
+  ;; list of two symbols, allowed values are ipv4, ipv6 or both
+  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+  ;; integer
+  (delay endlessh-configuration-delay (default 10000))
+  ;; integer
+  ;; Must be in the range
+  (length endlessh-configuration-length (default 32))
+  ;; integer
+  (max-clients endlessh-configuration-max-clients (default 4096))
+  ;; integer
+  (port-number endlessh-configuration-port-number (default 2222))
+  ;; integer
+  ;; Allowed values are 0, 1 and 2
+  (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+  "Convert the CONFIG of type <endlessh-config> to a config file."
+  (let* ((family (endlessh-configuration-bind-family config))
+	 (ipv4 (member 'ipv4 family))
+	 (ipv6 (member 'ipv6 family))
+	 (port (endlessh-configuration-port-number config))
+	 (delay (endlessh-configuration-delay config))
+	 (length (endlessh-configuration-length config))
+	 (log-level (endlessh-configuration-log-level config))
+	 (max-clients (endlessh-configuration-max-clients config))
+	 (bind
+	  ;; check if both are true (0), or only one of them is present
+	  (if (not (and (equal? ipv4 ipv6) ipv4))
+	      (if ipv4 4
+		  (if ipv6 6
+		      (throw 'endlessh-error
+			     "bind-family must contain at least one value")))
+	      0)))
+    (mixed-text-file "endlessh.conf"
+		     "# Generated by 'endlessh-config'.\n\n"
+		     "Port " (number->string port) "\n"
+		     "Delay " (number->string delay) "\n"
+		     "MaxLineLength " (number->string length) "\n"
+		     "MaxClients " (number->string max-clients) "\n"
+		     "LogLevel " (number->string log-level) "\n"
+		     "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+  (shepherd-service
+   (documentation "Run endlessh tarpit server.")
+   (provision '(endlessh))
+   (start #~(make-forkexec-constructor
+	     (list #$(file-append endlessh "/bin/endlessh")
+		   "-f" #$(endlessh-config->conf config))))
+   (stop  #~(make-kill-destructor))))
+
+(define endlessh-service-type
+  (service-type
+   (name 'endlessh)
+   (description "Run endlessh tarpit server.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list endlessh-shepherd-service))))
+   (default-value (endlessh-configuration))))
+
+
 
 ;;;
 ;;; WebSSH
-- 
2.30.0

Message #14 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: 39136 <at> debbugs.gnu.org
Cc: Joshua Branson <jbranso <at> dismail.de>
Subject: [PATCH 2/2] services: containerized endlessh
Date: Mon, 15 Mar 2021 12:29:49 -0400

doc: endlessh service documentation.

* doc/guix.texi (Networking Services): New endlessh-service-type section.

services: containerized endlessh

* gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
make-forkexec-constructor/container. and attempted to enable logging to syslog.
  (define-record-type* <endlessh-configuration>)
  move default values of endlessh configuration to separate line.
  Add copyright line for Nicolo.
---
 doc/guix.texi        | 60 ++++++++++++++++++++++++++++++++++++++++++++
 gnu/services/ssh.scm | 35 ++++++++++++++++++--------
 2 files changed, 85 insertions(+), 10 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 464c1141d8..38807b3069 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17081,6 +17081,66 @@ may cause undefined behaviour.
 @end table
 @end deftp
 
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} program that delays ssh clients for days at a time by
+@emph{very slowly} sending a random and endless SSH banner.  The smart
+hacker will put endlessh running on port 22, and let crackers get stuck
+in this tarpit.  This lets your real ssh server run more securely on a
+non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+  (endlessh-configuration
+    (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections.  Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item  0 = Quiet
+@item  1 = Standard, useful log messages
+@item  2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
 @cindex WebSSH
 @deffn {Scheme Variable} webssh-service-type
 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index aad9bbc754..838655cf2c 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -6,6 +6,8 @@
 ;;; Copyright © 2019 Ricardo Wurmus <rekado <at> elephly.net>
 ;;; Copyright © 2020 pinoaffe <pinoaffe <at> airmail.cc>
 ;;; Copyright © 2020 Oleg Pykhalov <go.wigust <at> gmail.com>
+;;; Copyright © 2020 Nicolò Balzarotti <nicolo <at> nixo.xyz>
+;;; Copyright @ 2021 Joshua Branson <jbranso <at> dismail.de>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -752,19 +754,25 @@ object."
   endlessh-configuration make-endlessh-configuration
   endlessh-configuration?
   ;; list of two symbols, allowed values are ipv4, ipv6 or both
-  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+  (bind-family endlessh-configuration-bind-family
+               (default '(ipv4 ipv6)))
   ;; integer
-  (delay endlessh-configuration-delay (default 10000))
+  (delay endlessh-configuration-delay
+         (default 10000))
   ;; integer
   ;; Must be in the range
-  (length endlessh-configuration-length (default 32))
+  (length endlessh-configuration-length
+          (default 32))
   ;; integer
-  (max-clients endlessh-configuration-max-clients (default 4096))
+  (max-clients endlessh-configuration-max-clients
+               (default 4096))
   ;; integer
-  (port-number endlessh-configuration-port-number (default 2222))
+  (port-number endlessh-configuration-port-number
+               (default 2222))
   ;; integer
   ;; Allowed values are 0, 1 and 2
-  (log-level endlessh-configuration-log-level (default 0)))
+  (log-level endlessh-configuration-log-level
+             (default 0)))
 
 (define (endlessh-config->conf config)
   "Convert the CONFIG of type <endlessh-config> to a config file."
@@ -797,15 +805,22 @@ object."
   (shepherd-service
    (documentation "Run endlessh tarpit server.")
    (provision '(endlessh))
-   (start #~(make-forkexec-constructor
-	     (list #$(file-append endlessh "/bin/endlessh")
-		   "-f" #$(endlessh-config->conf config))))
+   (start #~(make-forkexec-constructor/container
+	     `(list #$(file-append endlessh "/bin/endlessh")
+                    ,(if (positive? (endlessh-configuration-log-level config))
+                         "-s"
+                         "")
+		    "-f" #$(endlessh-config->conf config))))
    (stop  #~(make-kill-destructor))))
 
 (define endlessh-service-type
   (service-type
    (name 'endlessh)
-   (description "Run endlessh tarpit server.")
+   (description "Endlessh is an SSH tarpit that very slowly sends an endless,
+random SSH banner. It keeps SSH clients locked up for hours or even days at a
+time. The purpose is to put your real SSH server on another port and then let
+the script kiddies get stuck in this tarpit instead of bothering a real
+server.")
    (extensions
     (list (service-extension shepherd-root-service-type
                              (compose list endlessh-shepherd-service))))
-- 
2.30.0

Message #17 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: 39136 <at> debbugs.gnu.org
Subject: My endlessh patch series 
Date: Tue, 16 Mar 2021 11:32:21 -0400

So I've been working on this endlessh service for a while.  I believe
it could be better, but perfectionist can only do one thing perfectly:
nothing.  So I've submitted the above patch series.  Let me know if it
needs more work.

At the moment, I believe that endlessh runs as root.  It would be nice
to let it run as user nobody or something like that.

The endlessh systemd file provides an example of how to do that:

https://github.com/skeeto/endlessh/blob/master/util/endlessh.service

## If you want Endlessh to bind on ports < 1024
## 1) run: 
##     setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
## 2) uncomment following line
#AmbientCapabilities=CAP_NET_BIND_SERVICE
## 3) comment following line
PrivateUsers=true

Though setcap 'cap_net_bind_service=+ep' is linux specific.  And I'm
not certain if guix has a method for running setcap on items in the
store.

Those are just some relevant thoughts for improving the service!

Thanks!

Message #20 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: 39136 <at> debbugs.gnu.org
Cc: bug-guix <at> gnu.org
Subject: issues.guix.org not showing patch series? 
Date: Tue, 16 Mar 2021 11:42:18 -0400

Hello!

I just submitted a patch series for an endlessh service!

However, issues.guix.gnu.org/39136 does not properly show the patch
series.  :( Maybe I just submitted the patch series incorrectly.  :)

You can see the patch series here:

https://lists.gnu.org/archive/html/guix-patches/2021-03/msg00672.html

And via

 M-x debbugs-gnu-bugs RET 39136 RET

I'm not certain what the issue is...

This is the command that I used to send the patch series.

#+BEGIN_SRC sh
git send-email --to=39136 <at> debbugs.gnu.org HEAD~2
#+END_SRC

Thanks!

Your friend,

Joshua

Message #23 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: 39136 <at> debbugs.gnu.org
Cc: go.wigust <at> gmail.com
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Fri, 19 Mar 2021 12:22:40 -0400

Ping for Oleg!

Thanks!

Joshua

P.S.  I forget to include your email in the patch series.  I know the
patch series could be better, but I figured I'd rather submit something
rather than nothing.  Thanks!

-- 
Joshua Branson (joshuaBPMan in #guix)
Sent from Emacs and Gnus
  https://gnucode.me
  https://video.hardlimit.com/accounts/joshua_branson/video-channels
  https://propernaming.org
  "You can have whatever you want, as long as you help
enough other people get what they want." - Zig Ziglar
  

Message #26 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: Joshua Branson <jbranso <at> dismail.de>
Cc: 39136 <at> debbugs.gnu.org
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Mon, 22 Mar 2021 21:45:42 +0300

[Message part 1 (text/plain, inline)]

Hello,


I failed to test endlessh with "services: containerized endlessh" patch
in a virtual machine.  Unfortunately at the moment I'm not familiar with
‘make-forkexec-constructor/container’ machinery, and have no idea about
that causing the issue of boot hang.  Failed VM config in attachment.

[vm-image.tmpl (text/x-scheme, attachment)]

[Message part 3 (text/plain, inline)]

I succeeded to test without "services: containerized endlessh".  If wish
to fix a problem, ping me then you done.  Otherwise I could push a
working version without containerization.


Thanks,
Oleg.

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: 39136 <at> debbugs.gnu.org
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Sun, 04 Apr 2021 09:31:51 -0400

Oleg Pykhalov <go.wigust <at> gmail.com> writes:

> Hello,
>
> I failed to test endlessh with "services: containerized endlessh" patch
> in a virtual machine.  Unfortunately at the moment I'm not familiar with
> ‘make-forkexec-constructor/container’ machinery, and have no idea about
> that causing the issue of boot hang.  Failed VM config in attachment.
>
>
>
>
> I succeeded to test without "services: containerized endlessh".  If wish
> to fix a problem, ping me then you done.  Otherwise I could push a
> working version without containerization.

Oh, I suppose that I will try to get containerization working on this
service.  I'd prefer to have it containerized, since it is running as
root.

Thanks!

>
> Thanks,
> Oleg.
>

--
Joshua Branson (joshuaBPMan in #guix)
Sent from Emacs and Gnus
  https://gnucode.me
  https://video.hardlimit.com/accounts/joshua_branson/video-channels
  https://propernaming.org
  "You can have whatever you want, as long as you help
enough other people get what they want." - Zig Ziglar

Message #32 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Joshua Branson <jbranso <at> dismail.de>
Cc: 39136 <at> debbugs.gnu.org
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Wed, 31 Aug 2022 12:49:33 +0200

Hi Joshua,

Joshua Branson <jbranso <at> dismail.de> skribis:

> doc: endlessh service documentation.
>
> * doc/guix.texi (Networking Services): New endlessh-service-type section.
>
> services: containerized endlessh
>
> * gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
> make-forkexec-constructor/container. and attempted to enable logging to syslog.
>   (define-record-type* <endlessh-configuration>)
>   move default values of endlessh configuration to separate line.
>   Add copyright line for Nicolo.

Could you merge both patch #1 and patch #2?  Usually doc is added in the
same commit as the thing being documented.

> +@cindex Endlessh
> +@deffn {Scheme Variable} endlessh-service-type
> +This is the type for the @uref{https://github.com/skeeto/endlessh,
> +Endlessh} program that delays ssh clients for days at a time by

Nitpick: s/ssh/SSH/.

> +@emph{very slowly} sending a random and endless SSH banner.  The smart
> +hacker will put endlessh running on port 22, and let crackers get stuck

Maybe “The smart hacker will put” -> “You would typically run”

> +   (start #~(make-forkexec-constructor/container

Let’s forget about ‘/container’ for now if it doesn’t work yet.

Perhaps we can have a minimal system test to make sure the thing is
running and listening on the right port?  There are tests for
full-fledged SSH servers in (gnu tests ssh) that could serve as
inspiration.

Could you send a (hopefully) last version with these changes?

Thanks in advance,
Ludo’.

Message #35 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: jbranso <at> dismail.de
To: "Ludovic Courtès" <ludo <at> gnu.org>
Cc: 39136 <at> debbugs.gnu.org
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Wed, 31 Aug 2022 23:34:36 +0000

August 31, 2022 6:49 AM, "Ludovic Courtès" <ludo <at> gnu.org> wrote:

> Hi Joshua,
> 
> Joshua Branson <jbranso <at> dismail.de> skribis:
> 
>> doc: endlessh service documentation.
>> 
>> * doc/guix.texi (Networking Services): New endlessh-service-type section.
>> 
>> services: containerized endlessh
>> 
>> * gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
>> make-forkexec-constructor/container. and attempted to enable logging to syslog.
>> (define-record-type* <endlessh-configuration>)
>> move default values of endlessh configuration to separate line.
>> Add copyright line for Nicolo.
> 
> Could you merge both patch #1 and patch #2? Usually doc is added in the
> same commit as the thing being documented.
> 
>> +@cindex Endlessh
>> +@deffn {Scheme Variable} endlessh-service-type
>> +This is the type for the @uref{https://github.com/skeeto/endlessh,
>> +Endlessh} program that delays ssh clients for days at a time by
> 
> Nitpick: s/ssh/SSH/.
> 
>> +@emph{very slowly} sending a random and endless SSH banner. The smart
>> +hacker will put endlessh running on port 22, and let crackers get stuck
> 
> Maybe “The smart hacker will put” -> “You would typically run”
> 
>> + (start #~(make-forkexec-constructor/container
> 
> Let’s forget about ‘/container’ for now if it doesn’t work yet.
> 
> Perhaps we can have a minimal system test to make sure the thing is
> running and listening on the right port? There are tests for
> full-fledged SSH servers in (gnu tests ssh) that could serve as
> inspiration.
> 
> Could you send a (hopefully) last version with these changes?

Will merge the doc and code changes and submit an updated patch soon.

Thanks!

Joshua

> 
> Thanks in advance,
> Ludo’.

Message #38 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: 39136 <at> debbugs.gnu.org
Cc: ludo <at> gnu.org, Nicolò Balzarotti <nicolo <at> nixo.xyz>
Subject: [PATCH] * gnu: endlessh: new service
Date: Fri, 30 Sep 2022 13:03:01 -0400

From: Nicolò Balzarotti <nicolo <at> nixo.xyz>

Here is an attempted merger of patch 1 and 2.  I hope that it applies
cleanly to master, but if it does not, please let me know!

Thanks!

Joshua

* gnu/services/ssh.scm: Add endlessh service
endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.

* doc/guix.texi: added documnetation for the endlessh service.
---
 doc/guix.texi        | 60 ++++++++++++++++++++++++++++++++++++
 gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 99f8ba6c54..9a1e2801dd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20393,6 +20393,66 @@ may cause undefined behaviour.
 @end table
 @end deftp
 
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} service, which is an ssh tarbit.  It delays ssh clients for
+days at a time by @emph{very slowly} sending a random and endless SSH
+banner.  The smart hacker will run endlessh on port 22, and let crackers
+get stuck in this tarpit.  This lets your real ssh server run more
+securely on a non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+  (endlessh-configuration
+    (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections.  Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item  0 = Quiet
+@item  1 = Standard, useful log messages
+@item  2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
 @cindex WebSSH
 @deffn {Scheme Variable} webssh-service-type
 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 72e7183590..2e547b63cd 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -58,6 +58,10 @@ (define-module (gnu services ssh)
             autossh-configuration?
             autossh-service-type
 
+            endlessh-configuration
+            endlessh-configuration?
+            endlessh-service-type
+
             webssh-configuration
             webssh-configuration?
             webssh-service-type
@@ -802,6 +806,75 @@ (define autossh-service-type
                              autossh-service-activation)))
    (default-value (autossh-configuration))))
 
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+  endlessh-configuration make-endlessh-configuration
+  endlessh-configuration?
+  ;; list of two symbols, allowed values are ipv4, ipv6 or both
+  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+  ;; integer
+  (delay endlessh-configuration-delay (default 10000))
+  ;; integer
+  ;; Must be in the range
+  (length endlessh-configuration-length (default 32))
+  ;; integer
+  (max-clients endlessh-configuration-max-clients (default 4096))
+  ;; integer
+  (port-number endlessh-configuration-port-number (default 2222))
+  ;; integer
+  ;; Allowed values are 0, 1 and 2
+  (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+  "Convert the CONFIG of type <endlessh-config> to a config file."
+  (let* ((family (endlessh-configuration-bind-family config))
+	 (ipv4 (member 'ipv4 family))
+	 (ipv6 (member 'ipv6 family))
+	 (port (endlessh-configuration-port-number config))
+	 (delay (endlessh-configuration-delay config))
+	 (length (endlessh-configuration-length config))
+	 (log-level (endlessh-configuration-log-level config))
+	 (max-clients (endlessh-configuration-max-clients config))
+	 (bind
+	  ;; check if both are true (0), or only one of them is present
+	  (if (not (and (equal? ipv4 ipv6) ipv4))
+	      (if ipv4 4
+		  (if ipv6 6
+		      (throw 'endlessh-error
+			     "bind-family must contain at least one value")))
+	      0)))
+    (mixed-text-file "endlessh.conf"
+		     "# Generated by 'endlessh-config'.\n\n"
+		     "Port " (number->string port) "\n"
+		     "Delay " (number->string delay) "\n"
+		     "MaxLineLength " (number->string length) "\n"
+		     "MaxClients " (number->string max-clients) "\n"
+		     "LogLevel " (number->string log-level) "\n"
+		     "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+  (shepherd-service
+   (documentation "Run endlessh tarpit server.")
+   (provision '(endlessh))
+   (start #~(make-forkexec-constructor
+	     (list #$(file-append endlessh "/bin/endlessh")
+		   "-f" #$(endlessh-config->conf config))))
+   (stop  #~(make-kill-destructor))))
+
+(define endlessh-service-type
+  (service-type
+   (name 'endlessh)
+   (description "Run endlessh tarpit server.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list endlessh-shepherd-service))))
+   (default-value (endlessh-configuration))))
+
+
 
 ;;;
 ;;; WebSSH
-- 
2.37.3

Message #41 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Joshua Branson <jbranso <at> dismail.de>
To: 39136 <at> debbugs.gnu.org
Cc: ludo <at> gnu.org, Nicolò Balzarotti <nicolo <at> nixo.xyz>
Subject: [PATCH] * gnu: endlessh: new service
Date: Fri, 30 Sep 2022 13:08:36 -0400

From: Nicolò Balzarotti <nicolo <at> nixo.xyz>

* gnu/services/ssh.scm: Add endlessh service
endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.

* doc/guix.texi: added documnetation for the endlessh service.
---
 doc/guix.texi        | 60 ++++++++++++++++++++++++++++++++++++
 gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 99f8ba6c54..9a1e2801dd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20393,6 +20393,66 @@ may cause undefined behaviour.
 @end table
 @end deftp
 
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} service, which is an ssh tarbit.  It delays ssh clients for
+days at a time by @emph{very slowly} sending a random and endless SSH
+banner.  The smart hacker will run endlessh on port 22, and let crackers
+get stuck in this tarpit.  This lets your real ssh server run more
+securely on a non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+  (endlessh-configuration
+    (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections.  Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item  0 = Quiet
+@item  1 = Standard, useful log messages
+@item  2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
 @cindex WebSSH
 @deffn {Scheme Variable} webssh-service-type
 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 72e7183590..2e547b63cd 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -58,6 +58,10 @@ (define-module (gnu services ssh)
             autossh-configuration?
             autossh-service-type
 
+            endlessh-configuration
+            endlessh-configuration?
+            endlessh-service-type
+
             webssh-configuration
             webssh-configuration?
             webssh-service-type
@@ -802,6 +806,75 @@ (define autossh-service-type
                              autossh-service-activation)))
    (default-value (autossh-configuration))))
 
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+  endlessh-configuration make-endlessh-configuration
+  endlessh-configuration?
+  ;; list of two symbols, allowed values are ipv4, ipv6 or both
+  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+  ;; integer
+  (delay endlessh-configuration-delay (default 10000))
+  ;; integer
+  ;; Must be in the range
+  (length endlessh-configuration-length (default 32))
+  ;; integer
+  (max-clients endlessh-configuration-max-clients (default 4096))
+  ;; integer
+  (port-number endlessh-configuration-port-number (default 2222))
+  ;; integer
+  ;; Allowed values are 0, 1 and 2
+  (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+  "Convert the CONFIG of type <endlessh-config> to a config file."
+  (let* ((family (endlessh-configuration-bind-family config))
+	 (ipv4 (member 'ipv4 family))
+	 (ipv6 (member 'ipv6 family))
+	 (port (endlessh-configuration-port-number config))
+	 (delay (endlessh-configuration-delay config))
+	 (length (endlessh-configuration-length config))
+	 (log-level (endlessh-configuration-log-level config))
+	 (max-clients (endlessh-configuration-max-clients config))
+	 (bind
+	  ;; check if both are true (0), or only one of them is present
+	  (if (not (and (equal? ipv4 ipv6) ipv4))
+	      (if ipv4 4
+		  (if ipv6 6
+		      (throw 'endlessh-error
+			     "bind-family must contain at least one value")))
+	      0)))
+    (mixed-text-file "endlessh.conf"
+		     "# Generated by 'endlessh-config'.\n\n"
+		     "Port " (number->string port) "\n"
+		     "Delay " (number->string delay) "\n"
+		     "MaxLineLength " (number->string length) "\n"
+		     "MaxClients " (number->string max-clients) "\n"
+		     "LogLevel " (number->string log-level) "\n"
+		     "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+  (shepherd-service
+   (documentation "Run endlessh tarpit server.")
+   (provision '(endlessh))
+   (start #~(make-forkexec-constructor
+	     (list #$(file-append endlessh "/bin/endlessh")
+		   "-f" #$(endlessh-config->conf config))))
+   (stop  #~(make-kill-destructor))))
+
+(define endlessh-service-type
+  (service-type
+   (name 'endlessh)
+   (description "Run endlessh tarpit server.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list endlessh-shepherd-service))))
+   (default-value (endlessh-configuration))))
+
+
 
 ;;;
 ;;; WebSSH
-- 
2.37.3

Message #44 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Joshua Branson <jbranso <at> dismail.de>
Cc: Oleg Pykhalov <go.wigust <at> gmail.com>, 39136 <at> debbugs.gnu.org
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Thu, 31 Aug 2023 22:37:02 -0400

Hello,

Joshua Branson <jbranso <at> dismail.de> writes:

> Oleg Pykhalov <go.wigust <at> gmail.com> writes:
>
>> Hello,
>>
>> I failed to test endlessh with "services: containerized endlessh" patch
>> in a virtual machine.  Unfortunately at the moment I'm not familiar with
>> ‘make-forkexec-constructor/container’ machinery, and have no idea about
>> that causing the issue of boot hang.  Failed VM config in attachment.
>>
>>
>>
>>
>> I succeeded to test without "services: containerized endlessh".  If wish
>> to fix a problem, ping me then you done.  Otherwise I could push a
>> working version without containerization.
>
> Oh, I suppose that I will try to get containerization working on this
> service.  I'd prefer to have it containerized, since it is running as
> root.

This was 2 years ago :-).  Any update?

-- 
Thanks,
Maxim

Message #49 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: jbranso <at> dismail.de
To: "Maxim Cournoyer" <maxim.cournoyer <at> gmail.com>
Cc: Oleg Pykhalov <go.wigust <at> gmail.com>, 39136 <at> debbugs.gnu.org
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Fri, 01 Sep 2023 18:42:09 +0000

August 31, 2023 10:37 PM, "Maxim Cournoyer" <maxim.cournoyer <at> gmail.com> wrote:

> Hello,
> 
> Joshua Branson <jbranso <at> dismail.de> writes:
> 
>> Oleg Pykhalov <go.wigust <at> gmail.com> writes:
>> 
>>> Hello,
>>> 
>>> I failed to test endlessh with "services: containerized endlessh" patch
>>> in a virtual machine. Unfortunately at the moment I'm not familiar with
>>> ‘make-forkexec-constructor/container’ machinery, and have no idea about
>>> that causing the issue of boot hang. Failed VM config in attachment.
>>> 
>>> I succeeded to test without "services: containerized endlessh". If wish
>>> to fix a problem, ping me then you done. Otherwise I could push a
>>> working version without containerization.
>> 
>> Oh, I suppose that I will try to get containerization working on this
>> service. I'd prefer to have it containerized, since it is running as
>> root.
> 
> This was 2 years ago :-). Any update?

If you are ok with a non-containerized endlessh, then I can submit a patch 
adding that.  Endlessh works on guix system, but I was not able to get
the containerized version working.

> 
> --
> Thanks,
> Maxim

Message #52 received at 39136 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: jbranso <at> dismail.de
Cc: Oleg Pykhalov <go.wigust <at> gmail.com>, 39136 <at> debbugs.gnu.org
Subject: Re: bug#39136: [PATCH] gnu: services: Add endlessh.
Date: Sat, 02 Sep 2023 14:10:15 -0400

Hello,

jbranso <at> dismail.de writes:

> August 31, 2023 10:37 PM, "Maxim Cournoyer" <maxim.cournoyer <at> gmail.com> wrote:
>
>> Hello,
>> 
>> Joshua Branson <jbranso <at> dismail.de> writes:
>> 
>>> Oleg Pykhalov <go.wigust <at> gmail.com> writes:
>>> 
>>>> Hello,
>>>> 
>>>> I failed to test endlessh with "services: containerized endlessh" patch
>>>> in a virtual machine. Unfortunately at the moment I'm not familiar with
>>>> ‘make-forkexec-constructor/container’ machinery, and have no idea about
>>>> that causing the issue of boot hang. Failed VM config in attachment.
>>>> 
>>>> I succeeded to test without "services: containerized endlessh". If wish
>>>> to fix a problem, ping me then you done. Otherwise I could push a
>>>> working version without containerization.
>>> 
>>> Oh, I suppose that I will try to get containerization working on this
>>> service. I'd prefer to have it containerized, since it is running as
>>> root.
>> 
>> This was 2 years ago :-). Any update?
>
> If you are ok with a non-containerized endlessh, then I can submit a patch 
> adding that.  Endlessh works on guix system, but I was not able to get
> the containerized version working.

If you could make a system test to go with it, that'd be super!  We can
always refine later with regard to containerization.

-- 
Thanks,
Maxim

Message #57 received at 39136-done <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: Oleg Pykhalov <go.wigust <at> gmail.com>, 39136-done <at> debbugs.gnu.org,
 jbranso <at> dismail.de
Subject: Re: [bug#39136] [PATCH] gnu: services: Add endlessh.
Date: Fri, 21 Feb 2025 23:00:17 +0100

Hi,

For reference: https://issues.guix.gnu.org/issue/39136

On Sat, 02 Sep 2023 at 14:10, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> wrote:
>> August 31, 2023 10:37 PM, "Maxim Cournoyer" <maxim.cournoyer <at> gmail.com> wrote:

>>>>> I failed to test endlessh with "services: containerized endlessh" patch
>>>>> in a virtual machine. Unfortunately at the moment I'm not familiar with
>>>>> ‘make-forkexec-constructor/container’ machinery, and have no idea about
>>>>> that causing the issue of boot hang. Failed VM config in attachment.
>>>>>
>>>>> I succeeded to test without "services: containerized endlessh". If wish
>>>>> to fix a problem, ping me then you done. Otherwise I could push a
>>>>> working version without containerization.
>>>>
>>>> Oh, I suppose that I will try to get containerization working on this
>>>> service. I'd prefer to have it containerized, since it is running as
>>>> root.
>>>
>>> This was 2 years ago :-). Any update?

No more info since 1 year, 24 weeks, 6 days.

Closing.

Feel free to reopen if I’m missing something.

Cheers,
simon

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.