FoxxMD Posted December 21, 2023 Share Posted December 21, 2023 (edited) Application Name: endlessh-go Application Site: https://github.com/shizunge/endlessh-go Github Repo: https://github.com/shizunge/endlessh-go Docker Hub: https://hub.docker.com/r/shizunge/endlessh-go Template Repo: https://github.com/FoxxMD/unraid-docker-templates Overview Endlessh is an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server. Linuxserver.io provides the original endlessh on CA -- this is not that. This is a re-implementation of the original endlessh in golang with additional features, namely, translating IP addresses to Geohash and exporting Prometheus metrics which can be visualized with a Grafana dashboard. Usage The app requires no setup outside of what the template already provides. You do not need to use the exported metrics in order for the app to work for its primary function (SSH tarpit). !!!!!!!! Be extremely careful when configuring port forwarding for this !!!!!!!!: DO NOT forward port 22 directly to unraid. Instead, forward external port 22 to unraid on port 2222 (or whatever you configure for the container) Double check your unraid SSH settings under Management Access If you do not need SSH, make sure "Use SSH" is set to "No" If you do need it, make sure it is NOT the same port you are forwarding to unraid for Endlessh Setting up Metrics In order to use and visualize the exported metrics you will need to set up a Prometheus container and a Grafana container. Prometheus Find in CA under "Prometheus" and install In /mnt/user/appdata/prometheus/etc create or edit prometheus.yml to include this text block: scrape_configs: - job_name: 'endlessh' scrape_interval: 60s static_configs: - targets: ['HOST_IP:2112'] Replace HOST_IP with the IP of your unraid host machine. Restart the Prometheus container to start collecting metrics. Grafana Find in CA under "Grafana" and install After you have gone through initial setup and logged in to Grafana: Open hamburger menu (top left) -> Connections -> Add new connection -> Prometheus Under Connection (Prometheus server URL) use your unraid host IP and the Port Prometheus was configured with: http://UNRAID_IP:9090 Save & Test Open hamburger menu -> Dashboards New -> Import Use ID 15156 -> Load Select a Prometheus data source -> use the prometheus data source you just created Import You should now have a saved Dashboard that will visualize your endlessh-go metrics like this It may take some time for anything to populate as you need to wait for attackers to find your honeypot Logging The container logs all output to the docker container logs by default. If you wish to also log to file modify your container like so: In Post Arguments replace -logtostderr with -alsologtostderr In Post Arguments append this to the end: -log_dir=/config In Extra Parameters add this: --user=99:100 Add a new Path variable Container Path: /config Host Path: /mnt/user/appdata/endlessh-go Your settings will look like this after all modifications are done: Edited December 21, 2023 by FoxxMD 1 Quote Link to comment
jakami99 Posted January 17 Share Posted January 17 (edited) Hi Thanks for this project, awesome work. Oddly, I get no Geolocations on the dashboard, but ip-api is enabled. I get the following error in the logs: (redacted IP) W0117 22:44:56.159426 1 client.go:60] Failed to obatin the geohash of 180.xxx.xxx.xxx: Get "http://ip-api.com/json/180.xxx.xx.xxx": dial tcp 0.0.0.0:80: connect: connection refused. Manually accessing the website works fine tho (same IP)... EDIT: The "0.0.0.0" made me curious, and I checked my pihole. Weirdly, ip-api.com was on a blacklist and my current pc wasn't using pihole. Whitelisted it and now everything is working Edited January 17 by jakami99 Fixed 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.