[Support] FoxxMD - endlessh-go

[FoxxMD]

Application Name: endlessh-go

Application Site: https://github.com/shizunge/endlessh-go

Github Repo: https://github.com/shizunge/endlessh-go

Docker Hub: https://hub.docker.com/r/shizunge/endlessh-go

Template Repo: https://github.com/FoxxMD/unraid-docker-templates

 

Overview

 

Endlessh is an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.

 

Linuxserver.io provides the original endlessh on CA -- this is not that. This is a re-implementation of the original endlessh in golang with additional features, namely, translating IP addresses to Geohash and exporting Prometheus metrics which can be visualized with a Grafana dashboard.

 

Usage

The app requires no setup outside of what the template already provides. You do not need to use the exported metrics in order for the app to work for its primary function (SSH tarpit).

 

!!!!!!!! Be extremely careful when configuring port forwarding for this !!!!!!!!:

• DO NOT forward port 22 directly to unraid. Instead, forward external port 22 to unraid on port 2222 (or whatever you configure for the container)
• Double check your unraid SSH settings under Management Access
  • If you do not need SSH, make sure "Use SSH" is set to "No"
  • If you do need it, make sure it is NOT the same port you are forwarding to unraid for Endlessh

 

Setting up Metrics

In order to use and visualize the exported metrics you will need to set up a Prometheus container and a Grafana container.

 

Prometheus

Find in CA under "Prometheus" and install

 

In /mnt/user/appdata/prometheus/etc create or edit prometheus.yml to include this text block:

 

scrape_configs:
  - job_name: 'endlessh'
    scrape_interval: 60s
    static_configs:
      - targets: ['HOST_IP:2112']

 

Replace HOST_IP with the IP of your unraid host machine.

Restart the Prometheus container to start collecting metrics.

 

Grafana

Find in CA under "Grafana" and install

 

After you have gone through initial setup and logged in to Grafana:

• Open hamburger menu (top left) -> Connections -> Add new connection -> Prometheus
  • Under Connection (Prometheus server URL) use your unraid host IP and the Port Prometheus was configured with: http://UNRAID_IP:9090
  • Save & Test
• Open hamburger menu -> Dashboards
  • New -> Import
  • Use ID 15156 -> Load
    • Select a Prometheus data source -> use the prometheus data source you just created
    • Import

 

You should now have a saved Dashboard that will visualize your endlessh-go metrics like this

 

 

It may take some time for anything to populate as you need to wait for attackers to find your honeypot

 

Logging

The container logs all output to the docker container logs by default. If you wish to also log to file modify your container like so:

 

• In Post Arguments replace -logtostderr with -alsologtostderr
• In Post Arguments append this to the end: -log_dir=/config
• In Extra Parameters add this: --user=99:100
• Add a new Path variable
  • Container Path: /config
  • Host Path: /mnt/user/appdata/endlessh-go

 

Your settings will look like this after all modifications are done:

 

 

Edited December 21, 2023 by FoxxMD

[jakami99]

Hi
Thanks for this project, awesome work.
Oddly, I get no Geolocations on the dashboard, but ip-api is enabled.
I get the following error in the logs: (redacted IP)
W0117 22:44:56.159426       1 client.go:60] Failed to obatin the geohash of 180.xxx.xxx.xxx: Get "http://ip-api.com/json/180.xxx.xx.xxx": dial tcp 0.0.0.0:80: connect: connection refused.

 

Manually accessing the website works fine tho (same IP)...

 

EDIT:

The "0.0.0.0" made me curious, and I checked my pihole. Weirdly, ip-api.com was on a blacklist and my current pc wasn't using pihole.
Whitelisted it and now everything is working

Edited January 17 by jakami99
Fixed