From: Joshua Branson via Guix-patches via <guix-patches@gnu.org>
To: 39136@debbugs.gnu.org
Cc: ludo@gnu.org, "Nicolò Balzarotti" <nicolo@nixo.xyz>
Subject: [bug#39136] [PATCH] * gnu: endlessh: new service
Date: Fri, 30 Sep 2022 13:03:01 -0400 [thread overview]
Message-ID: <20220930170301.21324-1-jbranso@dismail.de> (raw)
In-Reply-To: <874kwx91k6.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me>
From: Nicolò Balzarotti <nicolo@nixo.xyz>
Here is an attempted merger of patch 1 and 2. I hope that it applies
cleanly to master, but if it does not, please let me know!
Thanks!
Joshua
* gnu/services/ssh.scm: Add endlessh service
endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.
* doc/guix.texi: added documnetation for the endlessh service.
---
doc/guix.texi | 60 ++++++++++++++++++++++++++++++++++++
gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 99f8ba6c54..9a1e2801dd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20393,6 +20393,66 @@ may cause undefined behaviour.
@end table
@end deftp
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} service, which is an ssh tarbit. It delays ssh clients for
+days at a time by @emph{very slowly} sending a random and endless SSH
+banner. The smart hacker will run endlessh on port 22, and let crackers
+get stuck in this tarpit. This lets your real ssh server run more
+securely on a non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+ (endlessh-configuration
+ (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections. Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item 0 = Quiet
+@item 1 = Standard, useful log messages
+@item 2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
@cindex WebSSH
@deffn {Scheme Variable} webssh-service-type
This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 72e7183590..2e547b63cd 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -58,6 +58,10 @@ (define-module (gnu services ssh)
autossh-configuration?
autossh-service-type
+ endlessh-configuration
+ endlessh-configuration?
+ endlessh-service-type
+
webssh-configuration
webssh-configuration?
webssh-service-type
@@ -802,6 +806,75 @@ (define autossh-service-type
autossh-service-activation)))
(default-value (autossh-configuration))))
+\f
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+ endlessh-configuration make-endlessh-configuration
+ endlessh-configuration?
+ ;; list of two symbols, allowed values are ipv4, ipv6 or both
+ (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+ ;; integer
+ (delay endlessh-configuration-delay (default 10000))
+ ;; integer
+ ;; Must be in the range
+ (length endlessh-configuration-length (default 32))
+ ;; integer
+ (max-clients endlessh-configuration-max-clients (default 4096))
+ ;; integer
+ (port-number endlessh-configuration-port-number (default 2222))
+ ;; integer
+ ;; Allowed values are 0, 1 and 2
+ (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+ "Convert the CONFIG of type <endlessh-config> to a config file."
+ (let* ((family (endlessh-configuration-bind-family config))
+ (ipv4 (member 'ipv4 family))
+ (ipv6 (member 'ipv6 family))
+ (port (endlessh-configuration-port-number config))
+ (delay (endlessh-configuration-delay config))
+ (length (endlessh-configuration-length config))
+ (log-level (endlessh-configuration-log-level config))
+ (max-clients (endlessh-configuration-max-clients config))
+ (bind
+ ;; check if both are true (0), or only one of them is present
+ (if (not (and (equal? ipv4 ipv6) ipv4))
+ (if ipv4 4
+ (if ipv6 6
+ (throw 'endlessh-error
+ "bind-family must contain at least one value")))
+ 0)))
+ (mixed-text-file "endlessh.conf"
+ "# Generated by 'endlessh-config'.\n\n"
+ "Port " (number->string port) "\n"
+ "Delay " (number->string delay) "\n"
+ "MaxLineLength " (number->string length) "\n"
+ "MaxClients " (number->string max-clients) "\n"
+ "LogLevel " (number->string log-level) "\n"
+ "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+ (shepherd-service
+ (documentation "Run endlessh tarpit server.")
+ (provision '(endlessh))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append endlessh "/bin/endlessh")
+ "-f" #$(endlessh-config->conf config))))
+ (stop #~(make-kill-destructor))))
+
+(define endlessh-service-type
+ (service-type
+ (name 'endlessh)
+ (description "Run endlessh tarpit server.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list endlessh-shepherd-service))))
+ (default-value (endlessh-configuration))))
+
+
\f
;;;
;;; WebSSH
--
2.37.3
next prev parent reply other threads:[~2022-09-30 17:17 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 21:21 [bug#39136] [PATCH] gnu: services: Add endlessh Nicolò Balzarotti
2020-07-25 20:08 ` Oleg Pykhalov
2021-03-15 16:29 ` [bug#39136] [PATCH 1/2] services: Add endlessh service Joshua Branson via Guix-patches via
2021-03-15 16:29 ` [bug#39136] [PATCH 2/2] services: containerized endlessh Joshua Branson via Guix-patches via
2022-08-31 10:49 ` [bug#39136] [PATCH] gnu: services: Add endlessh Ludovic Courtès
2022-08-31 23:34 ` jbranso--- via Guix-patches via
2021-03-16 15:32 ` [bug#39136] My endlessh patch series Joshua Branson via Guix-patches via
2021-03-19 16:22 ` [bug#39136] [PATCH] gnu: services: Add endlessh Joshua Branson via Guix-patches via
2021-03-22 18:45 ` Oleg Pykhalov
2021-04-04 13:31 ` Joshua Branson via Guix-patches via
2023-09-01 2:37 ` Maxim Cournoyer
2023-09-01 18:42 ` jbranso--- via Guix-patches via
2023-09-02 18:10 ` Maxim Cournoyer
2022-09-30 17:03 ` Joshua Branson via Guix-patches via [this message]
2022-09-30 17:08 ` [bug#39136] [PATCH] * gnu: endlessh: new service Joshua Branson via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220930170301.21324-1-jbranso@dismail.de \
--to=guix-patches@gnu.org \
--cc=39136@debbugs.gnu.org \
--cc=jbranso@dismail.de \
--cc=ludo@gnu.org \
--cc=nicolo@nixo.xyz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).