From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qOj2MYCOT2D7RgAA0tVLHw (envelope-from ) for ; Mon, 15 Mar 2021 16:42:40 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id EMS3LYCOT2ACMwAAbx9fmQ (envelope-from ) for ; Mon, 15 Mar 2021 16:42:40 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4BD278698 for ; Mon, 15 Mar 2021 17:42:40 +0100 (CET) Received: from localhost ([::1]:57204 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLqIh-0001id-CT for larch@yhetil.org; Mon, 15 Mar 2021 12:42:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60758) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLq7S-0003Tw-DQ for guix-patches@gnu.org; Mon, 15 Mar 2021 12:31:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53281) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lLq7S-0007PC-54 for guix-patches@gnu.org; Mon, 15 Mar 2021 12:31:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lLq7S-0008EH-2t for guix-patches@gnu.org; Mon, 15 Mar 2021 12:31:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#39136] [PATCH 2/2] services: containerized endlessh Resent-From: Joshua Branson Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 15 Mar 2021 16:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 39136 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 39136@debbugs.gnu.org Cc: Joshua Branson Received: via spool by 39136-submit@debbugs.gnu.org id=B39136.161582584531603 (code B ref 39136); Mon, 15 Mar 2021 16:31:02 +0000 Received: (at 39136) by debbugs.gnu.org; 15 Mar 2021 16:30:45 +0000 Received: from localhost ([127.0.0.1]:36593 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLq7B-0008De-5E for submit@debbugs.gnu.org; Mon, 15 Mar 2021 12:30:45 -0400 Received: from mx1.dismail.de ([78.46.223.134]:14705) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLq76-0008D7-CA for 39136@debbugs.gnu.org; Mon, 15 Mar 2021 12:30:41 -0400 Received: from mx1.dismail.de (localhost [127.0.0.1]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 08a985c3 for <39136@debbugs.gnu.org>; Mon, 15 Mar 2021 17:30:36 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=20190914; bh=ZWnA8cQE D15FcgVm4lkvQLCmzwjnpqoa8fb8XZivybU=; b=moGS8EXHaefYkXYle203v+5D pxSXz1VToRQeNsO4FIjgeKRcx/2UfTuJtzbKN1vTpJIm8LWkG89njMZAJTmmQg8X zyYXeWHE5PHlVhnS+RJ6NDWvOiKg2x8AKVnhIpO/L+/2LsfLyxEQ3Kx1u3c+Bmyf nTZiaTaTa/C1bjvL6AAqsuJTjmbjVDYW56q9ur3st3Xy/IjkLHijsmFNbqmww8w6 UkiMr5J6K/bY7UISYUfvViTxZyvfCBBf2WLhVvcvpupoASZ/HPHcdRdYa2IvcEag O65NtaovmkR5ujaXTVjeS339kGvdujQs8QEJtXZtGXlZAJt2YnlIUGEO/jbp3Q== Received: from smtp2.dismail.de ( [10.240.26.12]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 6c8dfcae for <39136@debbugs.gnu.org>; Mon, 15 Mar 2021 17:30:35 +0100 (CET) Received: from smtp2.dismail.de (localhost [127.0.0.1]) by smtp2.dismail.de (OpenSMTPD) with ESMTP id 186989a5 for <39136@debbugs.gnu.org>; Mon, 15 Mar 2021 17:30:35 +0100 (CET) Received: by dismail.de (OpenSMTPD) with ESMTPSA id 84cc5fa7 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Mon, 15 Mar 2021 17:30:34 +0100 (CET) Date: Mon, 15 Mar 2021 12:29:49 -0400 Message-Id: <20210315162949.17092-2-jbranso@dismail.de> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210315162949.17092-1-jbranso@dismail.de> References: <20210315162949.17092-1-jbranso@dismail.de> MIME-Version: 1.0 Content-Type: text/plain; charset=y Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Joshua Branson X-ACL-Warn: , Joshua Branson via Guix-patches From: Joshua Branson via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615826560; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=wZ1mT7HKAW37OQvAY0sQ2DNQqmYmdqRTTF002T9wRIk=; b=qRxm87J2lmJIm9yiAAh5b6ILQXd924tV0oIU1Mg1PCBAqpSl4HsKl4IWuaKLjnIYc/djz3 fi8K2GBDebu1isahZAQBZAkSwmL4foRr9befrbplbsxTBCB/EZWv1Fh9nZd6CesZNXcz42 3I/JkSZI//ZA3B83VFZqOkOGH/VZ5RX9ErTt/GXfQJO0FbI6Bi4eM6qpzalWE2mfmTUu6x 7CCHBP3hhrQAsCfURIbn4FnGZsFoYnjaUGMihUq7GVZ+vnR+qw47Hcn5UIpYe1Qf+4Qcpl Cm8WY1+nBdALnomoxqnjB+jhHG7AYwW8np0b1wVKqIQLKPgukTPG5H5d06OaDg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615826560; a=rsa-sha256; cv=none; b=e0AUaWIr5jB0BmBi/qPlUxugpnvY8bN3xmK5ljuIE6U1GjjZvWrQuZvS3HJRLpstiXn8q9 bSZdAByMnx0nM2oGUkZaOjprKO4cZdOUN6AFNkm52tnF3zRxKyxlLtBSAoEuUx9iRWjmGs AaU9FrV1JQmxtckBlo9pluPkr0vuXvWYgP8NmX/Kco+0rcDvnt0ml7uZqB3ZWAfGirzmBP s9j4Uc5+MQPdhMHrvx/BbLyuW8Epm3sNdHQNSBCRu6VuZ2Wc2m2a+TgDJPJ3NiQEr4RE2d P52ZDBdRGJNRkkrxldCxV3n+wn/LYAW72u1B6cfdUE0PmWrDXZPvHNOO7JsmMw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=dismail.de header.s=20190914 header.b=moGS8EXH; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.90 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=dismail.de header.s=20190914 header.b=moGS8EXH; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 4BD278698 X-Spam-Score: -2.90 X-Migadu-Scanner: scn0.migadu.com X-TUID: m3MrVsnOBtE0 doc: endlessh service documentation. * doc/guix.texi (Networking Services): New endlessh-service-type section. services: containerized endlessh * gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor -> make-forkexec-constructor/container. and attempted to enable logging to syslog. (define-record-type* ) move default values of endlessh configuration to separate line. Add copyright line for Nicolo. --- doc/guix.texi | 60 ++++++++++++++++++++++++++++++++++++++++++++ gnu/services/ssh.scm | 35 ++++++++++++++++++-------- 2 files changed, 85 insertions(+), 10 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 464c1141d8..38807b3069 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17081,6 +17081,66 @@ may cause undefined behaviour. @end table @end deftp +@cindex Endlessh +@deffn {Scheme Variable} endlessh-service-type +This is the type for the @uref{https://github.com/skeeto/endlessh, +Endlessh} program that delays ssh clients for days at a time by +@emph{very slowly} sending a random and endless SSH banner. The smart +hacker will put endlessh running on port 22, and let crackers get stuck +in this tarpit. This lets your real ssh server run more securely on a +non-standard port. + +For example: + +@lisp +(service endlessh-service-type + (endlessh-configuration + (port-number 22))) +@end lisp + +@end deffn + +@deftp {Data Type} endlessh-configuration +Data type representing the configuration for @code{endlessh-service}. +@table @asis +@item @code{package} (default: @var{endlessh}) +@code{endlessh} package to use. + +@item @code{bind-family} (default: @code{'(ipv4 ipv6)}) +This specifies if endlessh should use ipv4 and/or ipv6. + +@item @code{delay} (default: @code{10000}) +The endless banner is sent one line at a time. This is the delay +in milliseconds between individual lines. + +@item @code{length} (default: @code{32}) +The length of each line is randomized. This controls the maximum length +of each line. Shorter lines may keep clients on for longer if they give +up after a certain number of bytes. + +@item @code{max-clients} (default: @code{4096}) +Maximum number of connections to accept at a time. Connections beyond +this are not immediately rejected, but will wait in the queue. + +@item @code{port-number} (default: @code{2222}) +The port on which to listen for new SSH connections. Most users who +want to use endlessh as intended should set this port number to +@code{22}. + +@item @code{log-level} (default: @code{0}) +Set the detail level for the log. +@table @asis +@item 0 = Quiet +@item 1 = Standard, useful log messages +@item 2 = Very noisy debugging information +@end table + +@item @code{syslog} (default: @code{#f}) +Print diagnostics to syslog instead of standard output + +@end table +@end deftp + @cindex WebSSH @deffn {Scheme Variable} webssh-service-type This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH} diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index aad9bbc754..838655cf2c 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -6,6 +6,8 @@ ;;; Copyright © 2019 Ricardo Wurmus ;;; Copyright © 2020 pinoaffe ;;; Copyright © 2020 Oleg Pykhalov +;;; Copyright © 2020 Nicolò Balzarotti +;;; Copyright @ 2021 Joshua Branson ;;; ;;; This file is part of GNU Guix. ;;; @@ -752,19 +754,25 @@ object." endlessh-configuration make-endlessh-configuration endlessh-configuration? ;; list of two symbols, allowed values are ipv4, ipv6 or both - (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6))) + (bind-family endlessh-configuration-bind-family + (default '(ipv4 ipv6))) ;; integer - (delay endlessh-configuration-delay (default 10000)) + (delay endlessh-configuration-delay + (default 10000)) ;; integer ;; Must be in the range - (length endlessh-configuration-length (default 32)) + (length endlessh-configuration-length + (default 32)) ;; integer - (max-clients endlessh-configuration-max-clients (default 4096)) + (max-clients endlessh-configuration-max-clients + (default 4096)) ;; integer - (port-number endlessh-configuration-port-number (default 2222)) + (port-number endlessh-configuration-port-number + (default 2222)) ;; integer ;; Allowed values are 0, 1 and 2 - (log-level endlessh-configuration-log-level (default 0))) + (log-level endlessh-configuration-log-level + (default 0))) (define (endlessh-config->conf config) "Convert the CONFIG of type to a config file." @@ -797,15 +805,22 @@ object." (shepherd-service (documentation "Run endlessh tarpit server.") (provision '(endlessh)) - (start #~(make-forkexec-constructor - (list #$(file-append endlessh "/bin/endlessh") - "-f" #$(endlessh-config->conf config)))) + (start #~(make-forkexec-constructor/container + `(list #$(file-append endlessh "/bin/endlessh") + ,(if (positive? (endlessh-configuration-log-level config)) + "-s" + "") + "-f" #$(endlessh-config->conf config)))) (stop #~(make-kill-destructor)))) (define endlessh-service-type (service-type (name 'endlessh) - (description "Run endlessh tarpit server.") + (description "Endlessh is an SSH tarpit that very slowly sends an endless, +random SSH banner. It keeps SSH clients locked up for hours or even days at a +time. The purpose is to put your real SSH server on another port and then let +the script kiddies get stuck in this tarpit instead of bothering a real +server.") (extensions (list (service-extension shepherd-root-service-type (compose list endlessh-shepherd-service)))) -- 2.30.0