[PATCH] gnu: services: Add endlessh.

  • Open
  • quality assurance status badge
Details
5 participants
  • Nicolò Balzarotti
  • Oleg Pykhalov
  • Joshua Branson
  • Ludovic Courtès
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Nicolò Balzarotti
Severity
normal

Debbugs page

N
N
Nicolò Balzarotti wrote on 14 Jan 2020 13:21
(address . guix-patches@gnu.org)
874kwx91k6.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Hello guix!

This is my first service :) I know I still miss documentation and tests,
but before diving into it I wanted a general feedback on it (so that if
we decide to change something I don't have to adjust the docs and the
tests twice).

Endlessh is already in the repo, but for those who don't know: it's a
fake ssh server; it should be used to prevent bruteforce attacks and the
like by "freezing" the connection on the standard port (while the real
ssh server is on another non-standard port). So, I don't know if as
default port should be 22 or, as it is now, 2222 (program's default).

My second doubt is regarding the place; it's an ssh server, but its main
purpose is for security? Maybe should go under admin.scm? I'm not sure

Last thing: bind-family as a list of allowed values is a suggetion from
IRC @leoprikler. Thanks for your help there!

Waiting for your feedback,

Nicolò
From 63f975ec47de8ab951beaac6781327faf06d0cac Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Tue, 14 Jan 2020 22:08:15 +0100
Subject: [PATCH] gnu: services: Add endlessh.

* gnu/services/ssh.scm (endlessh): New variable.
---
gnu/services/ssh.scm | 74 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 73 insertions(+), 1 deletion(-)

Toggle diff (92 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index d2dbb8f80d..d2729fb059 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -45,7 +45,11 @@
dropbear-configuration
dropbear-configuration?
dropbear-service-type
- dropbear-service))
+ dropbear-service
+
+ endlessh-configuration
+ endlessh-configuration?
+ endlessh-service-type))
;;; Commentary:
;;;
@@ -628,4 +632,72 @@ daemon} with the given @var{config}, a @code{<dropbear-configuration>}
object."
(service dropbear-service-type config))
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+ endlessh-configuration make-endlessh-configuration
+ endlessh-configuration?
+ ;; list of two symbols, allowed values are ipv4, ipv6 or both
+ (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+ ;; integer
+ (delay endlessh-configuration-delay (default 10000))
+ ;; integer
+ ;; Must be in the range
+ (length endlessh-configuration-length (default 32))
+ ;; integer
+ (max-clients endlessh-configuration-max-clients (default 4096))
+ ;; integer
+ (port-number endlessh-configuration-port-number (default 2222))
+ ;; integer
+ ;; Allowed values are 0, 1 and 2
+ (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+ "Convert the CONFIG of type <endlessh-config> to a config file."
+ (let* ((family (endlessh-configuration-bind-family config))
+ (ipv4 (member 'ipv4 family))
+ (ipv6 (member 'ipv6 family))
+ (port (endlessh-configuration-port-number config))
+ (delay (endlessh-configuration-delay config))
+ (length (endlessh-configuration-length config))
+ (log-level (endlessh-configuration-log-level config))
+ (max-clients (endlessh-configuration-max-clients config))
+ (bind
+ ;; check if both are true (0), or only one of them is present
+ (if (not (and (equal? ipv4 ipv6) ipv4))
+ (if ipv4 4
+ (if ipv6 6
+ (throw 'endlessh-error
+ "bind-family must contain at least one value")))
+ 0)))
+ (mixed-text-file "endlessh.conf"
+ "# Generated by 'endlessh-config'.\n\n"
+ "Port " (number->string port) "\n"
+ "Delay " (number->string delay) "\n"
+ "MaxLineLength " (number->string length) "\n"
+ "MaxClients " (number->string max-clients) "\n"
+ "LogLevel " (number->string log-level) "\n"
+ "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+ (shepherd-service
+ (documentation "Run endlessh tarpit server.")
+ (provision '(endlessh))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append endlessh "/bin/endlessh")
+ "-f" #$(endlessh-config->conf config))))
+ (stop #~(make-kill-destructor))))
+
+(define endlessh-service-type
+ (service-type
+ (name 'endlessh)
+ (description "Run endlessh tarpit server.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list endlessh-shepherd-service))))
+ (default-value (endlessh-configuration))))
+
;;; ssh.scm ends here
--
2.24.1
O
O
Oleg Pykhalov wrote on 25 Jul 2020 13:08
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 39136@debbugs.gnu.org)
87365fl5mb.fsf@gmail.com
Hi,

That patch was forgotten for some reason, but we still have a succeeded
to build ‘endlessh’ package which missing a service! :-)

anothersms@gmail.com (Nicolò Balzarotti) writes:

Toggle quote (5 lines)
> This is my first service :) I know I still miss documentation and tests,
> but before diving into it I wanted a general feedback on it (so that if
> we decide to change something I don't have to adjust the docs and the
> tests twice).

Tests are appreciated ;-)

Toggle quote (6 lines)
> Endlessh is already in the repo, but for those who don't know: it's a
> fake ssh server; it should be used to prevent bruteforce attacks and the
> like by "freezing" the connection on the standard port (while the real
> ssh server is on another non-standard port). So, I don't know if as
> default port should be 22 or, as it is now, 2222 (program's default).

2222 is OK. But we need this be documented in ‘doc/guix.texi’. Could
you take a look on this, please?

Toggle quote (3 lines)
> My second doubt is regarding the place; it's an ssh server, but its main
> purpose is for security? Maybe should go under admin.scm? I'm not sure

I think gnu/services/ssh.scm is good.

[…]

Toggle quote (6 lines)
> +(define-record-type* <endlessh-configuration>
> + endlessh-configuration make-endlessh-configuration
> + endlessh-configuration?
> + ;; list of two symbols, allowed values are ipv4, ipv6 or both
> + (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))

Please, move ‘(default …)’ things on a separate line.

[…]

Otherwise LGTM. Could you send an update with a documented service?

Thanks,
Oleg.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAl8ckUwACgkQFn+OpQAa
+px84Q//cThaNKqntgDxuutVSS1XIFeUFFgpcWmUHtJOnvz+9PxQ1gZDzJY5R9xO
GHERkNjoZopFfrt59owcIoBmnickxUembFYKQjssZscedr9prbX6oGjYgN5znKpk
xN2lAcS11XsKMecv+M5UJvGvRGsXHcFQJl7nafyyIhlF3qbQmcgUO5r1PfjPSgrU
uK8AyEvbdgYYQbvZTrboFPBn/frj+mIQ8HdXwaBtBBHuR8AcYderFCfD9fabWB8G
Tb4Qh3dpF3W2FhY8x8FpYxEsZA4RR8YoHAHX8TLcqtRb/7IVscYb78L+TUEs53bs
yb2o6RGpTsmRl7Muiw6Q4gGn7fdM9v28lgddILD6OB5dLImlP72YT9V6sTQ/Wev6
WFikCwH5ulrvhREP+cbYQPwV9XxgUj0EuXvd+Ya77ggG6x3Y6WnGRxEwL9Haykqi
+HuRkj0k5GB5kWxjpNtmMd6QRV58SXRr7Zq5jrJvbPU+4Xa7joeLUOeKjmJ7PeXN
SmGVgmiIKmflxGFI0DrXBP6e88XLwJkRKbeej+t8AlUffe5LXBH0ZS2+I6yhdDtr
+uDTPIR2r7RL45CHeyO9E16umSXhyZU0RjhXVQ+lg83wjZgBajU3R4bmNYQQK85P
6ZZjZ6uLaHTSfkzGnD8t3GIusFzbEk11XD/QviSZC2j38pK5SOg=
=XbGN
-----END PGP SIGNATURE-----

J
J
Joshua Branson wrote on 15 Mar 2021 09:29
[PATCH 1/2] services: Add endlessh service.
(address . 39136@debbugs.gnu.org)(name . Nicolò Balzarotti)(address . nicolo@nixo.xyz)
20210315162949.17092-1-jbranso@dismail.de
From: Nicolò Balzarotti <nicolo@nixo.xyz>

* gnu/services/ssh.scm: Add endlessh service
(<endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.
---
gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)

Toggle diff (93 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 1891db0487..aad9bbc754 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -54,6 +54,10 @@
autossh-configuration?
autossh-service-type
+ endlessh-configuration
+ endlessh-configuration?
+ endlessh-service-type
+
webssh-configuration
webssh-configuration?
webssh-service-type
@@ -739,6 +743,75 @@ object."
autossh-service-activation)))
(default-value (autossh-configuration))))
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+ endlessh-configuration make-endlessh-configuration
+ endlessh-configuration?
+ ;; list of two symbols, allowed values are ipv4, ipv6 or both
+ (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+ ;; integer
+ (delay endlessh-configuration-delay (default 10000))
+ ;; integer
+ ;; Must be in the range
+ (length endlessh-configuration-length (default 32))
+ ;; integer
+ (max-clients endlessh-configuration-max-clients (default 4096))
+ ;; integer
+ (port-number endlessh-configuration-port-number (default 2222))
+ ;; integer
+ ;; Allowed values are 0, 1 and 2
+ (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+ "Convert the CONFIG of type <endlessh-config> to a config file."
+ (let* ((family (endlessh-configuration-bind-family config))
+ (ipv4 (member 'ipv4 family))
+ (ipv6 (member 'ipv6 family))
+ (port (endlessh-configuration-port-number config))
+ (delay (endlessh-configuration-delay config))
+ (length (endlessh-configuration-length config))
+ (log-level (endlessh-configuration-log-level config))
+ (max-clients (endlessh-configuration-max-clients config))
+ (bind
+ ;; check if both are true (0), or only one of them is present
+ (if (not (and (equal? ipv4 ipv6) ipv4))
+ (if ipv4 4
+ (if ipv6 6
+ (throw 'endlessh-error
+ "bind-family must contain at least one value")))
+ 0)))
+ (mixed-text-file "endlessh.conf"
+ "# Generated by 'endlessh-config'.\n\n"
+ "Port " (number->string port) "\n"
+ "Delay " (number->string delay) "\n"
+ "MaxLineLength " (number->string length) "\n"
+ "MaxClients " (number->string max-clients) "\n"
+ "LogLevel " (number->string log-level) "\n"
+ "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+ (shepherd-service
+ (documentation "Run endlessh tarpit server.")
+ (provision '(endlessh))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append endlessh "/bin/endlessh")
+ "-f" #$(endlessh-config->conf config))))
+ (stop #~(make-kill-destructor))))
+
+(define endlessh-service-type
+ (service-type
+ (name 'endlessh)
+ (description "Run endlessh tarpit server.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list endlessh-shepherd-service))))
+ (default-value (endlessh-configuration))))
+
+
;;;
;;; WebSSH
--
2.30.0
J
J
Joshua Branson wrote on 15 Mar 2021 09:29
[PATCH 2/2] services: containerized endlessh
(address . 39136@debbugs.gnu.org)(name . Joshua Branson)(address . jbranso@dismail.de)
20210315162949.17092-2-jbranso@dismail.de
doc: endlessh service documentation.

* doc/guix.texi (Networking Services): New endlessh-service-type section.

services: containerized endlessh

* gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
make-forkexec-constructor/container. and attempted to enable logging to syslog.
(define-record-type* <endlessh-configuration>)
move default values of endlessh configuration to separate line.
Add copyright line for Nicolo.
---
doc/guix.texi | 60 ++++++++++++++++++++++++++++++++++++++++++++
gnu/services/ssh.scm | 35 ++++++++++++++++++--------
2 files changed, 85 insertions(+), 10 deletions(-)

Toggle diff (145 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 464c1141d8..38807b3069 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17081,6 +17081,66 @@ may cause undefined behaviour.
@end table
@end deftp
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} program that delays ssh clients for days at a time by
+@emph{very slowly} sending a random and endless SSH banner. The smart
+hacker will put endlessh running on port 22, and let crackers get stuck
+in this tarpit. This lets your real ssh server run more securely on a
+non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+ (endlessh-configuration
+ (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections. Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item 0 = Quiet
+@item 1 = Standard, useful log messages
+@item 2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
@cindex WebSSH
@deffn {Scheme Variable} webssh-service-type
This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index aad9bbc754..838655cf2c 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -6,6 +6,8 @@
;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 pinoaffe <pinoaffe@airmail.cc>
;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2020 Nicolò Balzarotti <nicolo@nixo.xyz>
+;;; Copyright @ 2021 Joshua Branson <jbranso@dismail.de>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -752,19 +754,25 @@ object."
endlessh-configuration make-endlessh-configuration
endlessh-configuration?
;; list of two symbols, allowed values are ipv4, ipv6 or both
- (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+ (bind-family endlessh-configuration-bind-family
+ (default '(ipv4 ipv6)))
;; integer
- (delay endlessh-configuration-delay (default 10000))
+ (delay endlessh-configuration-delay
+ (default 10000))
;; integer
;; Must be in the range
- (length endlessh-configuration-length (default 32))
+ (length endlessh-configuration-length
+ (default 32))
;; integer
- (max-clients endlessh-configuration-max-clients (default 4096))
+ (max-clients endlessh-configuration-max-clients
+ (default 4096))
;; integer
- (port-number endlessh-configuration-port-number (default 2222))
+ (port-number endlessh-configuration-port-number
+ (default 2222))
;; integer
;; Allowed values are 0, 1 and 2
- (log-level endlessh-configuration-log-level (default 0)))
+ (log-level endlessh-configuration-log-level
+ (default 0)))
(define (endlessh-config->conf config)
"Convert the CONFIG of type <endlessh-config> to a config file."
@@ -797,15 +805,22 @@ object."
(shepherd-service
(documentation "Run endlessh tarpit server.")
(provision '(endlessh))
- (start #~(make-forkexec-constructor
- (list #$(file-append endlessh "/bin/endlessh")
- "-f" #$(endlessh-config->conf config))))
+ (start #~(make-forkexec-constructor/container
+ `(list #$(file-append endlessh "/bin/endlessh")
+ ,(if (positive? (endlessh-configuration-log-level config))
+ "-s"
+ "")
+ "-f" #$(endlessh-config->conf config))))
(stop #~(make-kill-destructor))))
(define endlessh-service-type
(service-type
(name 'endlessh)
- (description "Run endlessh tarpit server.")
+ (description "Endlessh is an SSH tarpit that very slowly sends an endless,
+random SSH banner. It keeps SSH clients locked up for hours or even days at a
+time. The purpose is to put your real SSH server on another port and then let
+the script kiddies get stuck in this tarpit instead of bothering a real
+server.")
(extensions
(list (service-extension shepherd-root-service-type
(compose list endlessh-shepherd-service))))
--
2.30.0
J
J
Joshua Branson wrote on 16 Mar 2021 08:32
My endlessh patch series
(address . 39136@debbugs.gnu.org)
87a6r39ksa.fsf@dismail.de
So I've been working on this endlessh service for a while. I believe
it could be better, but perfectionist can only do one thing perfectly:
nothing. So I've submitted the above patch series. Let me know if it
needs more work.

At the moment, I believe that endlessh runs as root. It would be nice
to let it run as user nobody or something like that.

The endlessh systemd file provides an example of how to do that:


## If you want Endlessh to bind on ports < 1024
## 1) run:
## setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
## 2) uncomment following line
#AmbientCapabilities=CAP_NET_BIND_SERVICE
## 3) comment following line
PrivateUsers=true

Though setcap 'cap_net_bind_service=+ep' is linux specific. And I'm
not certain if guix has a method for running setcap on items in the
store.

Those are just some relevant thoughts for improving the service!

Thanks!
J
J
Joshua Branson wrote on 16 Mar 2021 08:42
issues.guix.org not showing patch series?
(address . 39136@debbugs.gnu.org)(address . bug-guix@gnu.org)
878s6n9kbp.fsf@dismail.de
Hello!

I just submitted a patch series for an endlessh service!

However, issues.guix.gnu.org/39136 does not properly show the patch
series. :( Maybe I just submitted the patch series incorrectly. :)

You can see the patch series here:


And via

M-x debbugs-gnu-bugs RET 39136 RET

I'm not certain what the issue is...

This is the command that I used to send the patch series.

#+BEGIN_SRC sh
git send-email --to=39136@debbugs.gnu.org HEAD~2
#+END_SRC

Thanks!

Your friend,

Joshua
J
J
Joshua Branson wrote on 19 Mar 2021 09:22
Re: bug#39136: [PATCH] gnu: services: Add endlessh.
(address . 39136@debbugs.gnu.org)(address . go.wigust@gmail.com)
87h7l7kt9r.fsf_-_@dismail.de
Ping for Oleg!

Thanks!

Joshua

P.S. I forget to include your email in the patch series. I know the
patch series could be better, but I figured I'd rather submit something
rather than nothing. Thanks!

--
Joshua Branson (joshuaBPMan in #guix)
Sent from Emacs and Gnus
"You can have whatever you want, as long as you help
enough other people get what they want." - Zig Ziglar
O
O
Oleg Pykhalov wrote on 22 Mar 2021 11:45
(name . Joshua Branson)(address . jbranso@dismail.de)(address . 39136@debbugs.gnu.org)
87zgyv2fjd.fsf_-_@gmail.com
Hello,


I failed to test endlessh with "services: containerized endlessh" patch
in a virtual machine. Unfortunately at the moment I'm not familiar with
‘make-forkexec-constructor/container’ machinery, and have no idea about
that causing the issue of boot hang. Failed VM config in attachment.
;; This is an operating system configuration for a VM image.
;; Modify it as you see fit and instantiate the changes by running:
;;
;; guix system reconfigure /etc/config.scm
;;

(use-modules (gnu) (guix) (srfi srfi-1))
(use-service-modules desktop networking ssh xorg)
(use-package-modules bootloaders certs fonts nvi
package-management wget xorg)

(define vm-image-motd (plain-file "motd" "
\x1b[1;37mThis is the GNU system. Welcome!\x1b[0m

This instance of Guix is a template for virtualized environments.
You can reconfigure the whole system by adjusting /etc/config.scm
and running:

guix system reconfigure /etc/config.scm

Run '\x1b[1;37minfo guix\x1b[0m' to browse documentation.

\x1b[1;33mConsider setting a password for the 'root' and 'guest' \
accounts.\x1b[0m
"))

(operating-system
(host-name "gnu")
(timezone "Etc/UTC")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us" "altgr-intl"))

;; Label for the GRUB boot menu.
(label (string-append "GNU Guix " (package-version guix)))

(firmware '())

;; Below we assume /dev/vda is the VM's hard disk.
;; Adjust as needed.
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")
(terminal-outputs '(console))))
(file-systems (cons (file-system
(mount-point "/")
(device "/dev/vda1")
(type "ext4"))
%base-file-systems))

(users (cons (user-account
(name "guest")
(comment "GNU Guix Live")
(password "") ;no password
(group "users")
(supplementary-groups '("wheel" "netdev"
"audio" "video")))
%base-user-accounts))

;; Our /etc/sudoers file. Since 'guest' initially has an empty password,
;; allow for password-less sudo.
(sudoers-file (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=NOPASSWD: ALL\n"))

(packages (append (list nss-certs wget)
%base-packages))

(services
(append (list ;; Uncomment the line below to add an SSH server.
;; (service openssh-service-type
;; (openssh-configuration
;; (port-number 2222)))

(service endlessh-service-type
(endlessh-configuration
(port-number 2222)))

;; Use the DHCP client service rather than NetworkManager.
(service dhcp-client-service-type))

;; Remove GDM, ModemManager, NetworkManager, and wpa-supplicant,
;; which don't make sense in a VM.
(remove (lambda (service)
(let ((type (service-kind service)))
(or (memq type
(list gdm-service-type
wpa-supplicant-service-type
cups-pk-helper-service-type
network-manager-service-type
modem-manager-service-type))
(eq? 'network-manager-applet
(service-type-name type)))))
(modify-services %base-services
(login-service-type config =>
(login-configuration
(inherit config)
(motd vm-image-motd)))))))

;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss))
I succeeded to test without "services: containerized endlessh". If wish
to fix a problem, ping me then you done. Otherwise I could push a
working version without containerization.


Thanks,
Oleg.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmBY5dYUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pwRLQ//b7/BeXuTmjoPBdvCo7+zef/q67Hu
q68tZwvp4SZoOXSrTOlwKFhmr4jRKdlw8SDGg3Xx7ZMU6YbsTmvndzl82wyTIHpf
+754G2XTQib/MGseVg4XvBkkYYkgbtMW7xINqd723dM9b46ZmRQbjLCSWPmoj1zM
voNeQsGpSVa7iz+UDE/OHpqDQhdXKA35OqPUssCjj/Bkbo1+gYb3itqruHXkxjdI
bjiYDVu47eaBPvd3QPQSm8xESKPB5yuj/LRO0JijyREXsvV4yfZVyJJk9a3c9nX9
nQLYwBFgRr6++X1O39PA6mzT45NlTR3r3XKjsCd0HtOh1sTytjNA/olTGw1+W1e5
gOjU4mtvGEzRF3p9BQs8D3VV3wVkmjgQDdHK9/gOpT+x0aUGdJp2w/ByTN1FeNRL
tRzTGOzYBrKv5zsVMv9PKR6zklhtDWz9fnSQa/5CnfI3x82lr5M+MMxGTpQPFISq
GZS6ITA1RSD+yEdu6V2JohPHqhbeI06O4e6HGy6MHIHxQU6mtZLAXpKE5AJvSmP2
y7F1pWBz6UZGHqBKfmRDReCeq+eOKjjgL2HeZ28ync1lpi00DEiU2PVZvleWposv
K95fMxloXmITqPN1621/jxhnwXq0iLhL7fwJMJEN1enscfT8nNOBwg+MI88OPg+u
ZSb5mXMtM0UcLr0=
=Dj5i
-----END PGP SIGNATURE-----

J
J
Joshua Branson wrote on 4 Apr 2021 06:31
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)(address . 39136@debbugs.gnu.org)
878s5ymb08.fsf_-_@dismail.de
Oleg Pykhalov <go.wigust@gmail.com> writes:

Toggle quote (14 lines)
> Hello,
>
> I failed to test endlessh with "services: containerized endlessh" patch
> in a virtual machine. Unfortunately at the moment I'm not familiar with
> ‘make-forkexec-constructor/container’ machinery, and have no idea about
> that causing the issue of boot hang. Failed VM config in attachment.
>
>
>
>
> I succeeded to test without "services: containerized endlessh". If wish
> to fix a problem, ping me then you done. Otherwise I could push a
> working version without containerization.

Oh, I suppose that I will try to get containerization working on this
service. I'd prefer to have it containerized, since it is running as
root.

Thanks!

Toggle quote (5 lines)
>
> Thanks,
> Oleg.
>

--
Joshua Branson (joshuaBPMan in #guix)
Sent from Emacs and Gnus
"You can have whatever you want, as long as you help
enough other people get what they want." - Zig Ziglar
L
L
Ludovic Courtès wrote on 31 Aug 2022 03:49
(name . Joshua Branson)(address . jbranso@dismail.de)(address . 39136@debbugs.gnu.org)
87o7w0bsci.fsf_-_@gnu.org
Hi Joshua,

Joshua Branson <jbranso@dismail.de> skribis:

Toggle quote (12 lines)
> doc: endlessh service documentation.
>
> * doc/guix.texi (Networking Services): New endlessh-service-type section.
>
> services: containerized endlessh
>
> * gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
> make-forkexec-constructor/container. and attempted to enable logging to syslog.
> (define-record-type* <endlessh-configuration>)
> move default values of endlessh configuration to separate line.
> Add copyright line for Nicolo.

Could you merge both patch #1 and patch #2? Usually doc is added in the
same commit as the thing being documented.

Toggle quote (5 lines)
> +@cindex Endlessh
> +@deffn {Scheme Variable} endlessh-service-type
> +This is the type for the @uref{https://github.com/skeeto/endlessh,
> +Endlessh} program that delays ssh clients for days at a time by

Nitpick: s/ssh/SSH/.

Toggle quote (3 lines)
> +@emph{very slowly} sending a random and endless SSH banner. The smart
> +hacker will put endlessh running on port 22, and let crackers get stuck

Maybe “The smart hacker will put” -> “You would typically run”

Toggle quote (2 lines)
> + (start #~(make-forkexec-constructor/container

Let’s forget about ‘/container’ for now if it doesn’t work yet.

Perhaps we can have a minimal system test to make sure the thing is
running and listening on the right port? There are tests for
full-fledged SSH servers in (gnu tests ssh) that could serve as
inspiration.

Could you send a (hopefully) last version with these changes?

Thanks in advance,
Ludo’.
J
J
jbranso wrote on 31 Aug 2022 16:34
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 39136@debbugs.gnu.org)
1c810968a4114879ea1c9c1e7c927d28@dismail.de
August 31, 2022 6:49 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:

Toggle quote (42 lines)
> Hi Joshua,
>
> Joshua Branson <jbranso@dismail.de> skribis:
>
>> doc: endlessh service documentation.
>>
>> * doc/guix.texi (Networking Services): New endlessh-service-type section.
>>
>> services: containerized endlessh
>>
>> * gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
>> make-forkexec-constructor/container. and attempted to enable logging to syslog.
>> (define-record-type* <endlessh-configuration>)
>> move default values of endlessh configuration to separate line.
>> Add copyright line for Nicolo.
>
> Could you merge both patch #1 and patch #2? Usually doc is added in the
> same commit as the thing being documented.
>
>> +@cindex Endlessh
>> +@deffn {Scheme Variable} endlessh-service-type
>> +This is the type for the @uref{https://github.com/skeeto/endlessh,
>> +Endlessh} program that delays ssh clients for days at a time by
>
> Nitpick: s/ssh/SSH/.
>
>> +@emph{very slowly} sending a random and endless SSH banner. The smart
>> +hacker will put endlessh running on port 22, and let crackers get stuck
>
> Maybe “The smart hacker will put” -> “You would typically run”
>
>> + (start #~(make-forkexec-constructor/container
>
> Let’s forget about ‘/container’ for now if it doesn’t work yet.
>
> Perhaps we can have a minimal system test to make sure the thing is
> running and listening on the right port? There are tests for
> full-fledged SSH servers in (gnu tests ssh) that could serve as
> inspiration.
>
> Could you send a (hopefully) last version with these changes?

Will merge the doc and code changes and submit an updated patch soon.

Thanks!

Joshua

Toggle quote (3 lines)
>
> Thanks in advance,
> Ludo’.
J
J
Joshua Branson wrote on 30 Sep 2022 10:03
[PATCH] * gnu: endlessh: new service
(address . 39136@debbugs.gnu.org)
20220930170301.21324-1-jbranso@dismail.de
From: Nicolò Balzarotti <nicolo@nixo.xyz>

Here is an attempted merger of patch 1 and 2. I hope that it applies
cleanly to master, but if it does not, please let me know!

Thanks!

Joshua

* gnu/services/ssh.scm: Add endlessh service
endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.

* doc/guix.texi: added documnetation for the endlessh service.
---
doc/guix.texi | 60 ++++++++++++++++++++++++++++++++++++
gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+)

Toggle diff (164 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 99f8ba6c54..9a1e2801dd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20393,6 +20393,66 @@ may cause undefined behaviour.
@end table
@end deftp
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} service, which is an ssh tarbit. It delays ssh clients for
+days at a time by @emph{very slowly} sending a random and endless SSH
+banner. The smart hacker will run endlessh on port 22, and let crackers
+get stuck in this tarpit. This lets your real ssh server run more
+securely on a non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+ (endlessh-configuration
+ (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections. Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item 0 = Quiet
+@item 1 = Standard, useful log messages
+@item 2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
@cindex WebSSH
@deffn {Scheme Variable} webssh-service-type
This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 72e7183590..2e547b63cd 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -58,6 +58,10 @@ (define-module (gnu services ssh)
autossh-configuration?
autossh-service-type
+ endlessh-configuration
+ endlessh-configuration?
+ endlessh-service-type
+
webssh-configuration
webssh-configuration?
webssh-service-type
@@ -802,6 +806,75 @@ (define autossh-service-type
autossh-service-activation)))
(default-value (autossh-configuration))))
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+ endlessh-configuration make-endlessh-configuration
+ endlessh-configuration?
+ ;; list of two symbols, allowed values are ipv4, ipv6 or both
+ (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+ ;; integer
+ (delay endlessh-configuration-delay (default 10000))
+ ;; integer
+ ;; Must be in the range
+ (length endlessh-configuration-length (default 32))
+ ;; integer
+ (max-clients endlessh-configuration-max-clients (default 4096))
+ ;; integer
+ (port-number endlessh-configuration-port-number (default 2222))
+ ;; integer
+ ;; Allowed values are 0, 1 and 2
+ (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+ "Convert the CONFIG of type <endlessh-config> to a config file."
+ (let* ((family (endlessh-configuration-bind-family config))
+ (ipv4 (member 'ipv4 family))
+ (ipv6 (member 'ipv6 family))
+ (port (endlessh-configuration-port-number config))
+ (delay (endlessh-configuration-delay config))
+ (length (endlessh-configuration-length config))
+ (log-level (endlessh-configuration-log-level config))
+ (max-clients (endlessh-configuration-max-clients config))
+ (bind
+ ;; check if both are true (0), or only one of them is present
+ (if (not (and (equal? ipv4 ipv6) ipv4))
+ (if ipv4 4
+ (if ipv6 6
+ (throw 'endlessh-error
+ "bind-family must contain at least one value")))
+ 0)))
+ (mixed-text-file "endlessh.conf"
+ "# Generated by 'endlessh-config'.\n\n"
+ "Port " (number->string port) "\n"
+ "Delay " (number->string delay) "\n"
+ "MaxLineLength " (number->string length) "\n"
+ "MaxClients " (number->string max-clients) "\n"
+ "LogLevel " (number->string log-level) "\n"
+ "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+ (shepherd-service
+ (documentation "Run endlessh tarpit server.")
+ (provision '(endlessh))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append endlessh "/bin/endlessh")
+ "-f" #$(endlessh-config->conf config))))
+ (stop #~(make-kill-destructor))))
+
+(define endlessh-service-type
+ (service-type
+ (name 'endlessh)
+ (description "Run endlessh tarpit server.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list endlessh-shepherd-service))))
+ (default-value (endlessh-configuration))))
+
+
;;;
;;; WebSSH
--
2.37.3
J
J
Joshua Branson wrote on 30 Sep 2022 10:08
(address . 39136@debbugs.gnu.org)
20220930170836.26828-1-jbranso@dismail.de
From: Nicolò Balzarotti <nicolo@nixo.xyz>

* gnu/services/ssh.scm: Add endlessh service
endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.

* doc/guix.texi: added documnetation for the endlessh service.
---
doc/guix.texi | 60 ++++++++++++++++++++++++++++++++++++
gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+)

Toggle diff (164 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 99f8ba6c54..9a1e2801dd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20393,6 +20393,66 @@ may cause undefined behaviour.
@end table
@end deftp
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} service, which is an ssh tarbit. It delays ssh clients for
+days at a time by @emph{very slowly} sending a random and endless SSH
+banner. The smart hacker will run endlessh on port 22, and let crackers
+get stuck in this tarpit. This lets your real ssh server run more
+securely on a non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+ (endlessh-configuration
+ (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections. Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item 0 = Quiet
+@item 1 = Standard, useful log messages
+@item 2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
@cindex WebSSH
@deffn {Scheme Variable} webssh-service-type
This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 72e7183590..2e547b63cd 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -58,6 +58,10 @@ (define-module (gnu services ssh)
autossh-configuration?
autossh-service-type
+ endlessh-configuration
+ endlessh-configuration?
+ endlessh-service-type
+
webssh-configuration
webssh-configuration?
webssh-service-type
@@ -802,6 +806,75 @@ (define autossh-service-type
autossh-service-activation)))
(default-value (autossh-configuration))))
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+ endlessh-configuration make-endlessh-configuration
+ endlessh-configuration?
+ ;; list of two symbols, allowed values are ipv4, ipv6 or both
+ (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+ ;; integer
+ (delay endlessh-configuration-delay (default 10000))
+ ;; integer
+ ;; Must be in the range
+ (length endlessh-configuration-length (default 32))
+ ;; integer
+ (max-clients endlessh-configuration-max-clients (default 4096))
+ ;; integer
+ (port-number endlessh-configuration-port-number (default 2222))
+ ;; integer
+ ;; Allowed values are 0, 1 and 2
+ (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+ "Convert the CONFIG of type <endlessh-config> to a config file."
+ (let* ((family (endlessh-configuration-bind-family config))
+ (ipv4 (member 'ipv4 family))
+ (ipv6 (member 'ipv6 family))
+ (port (endlessh-configuration-port-number config))
+ (delay (endlessh-configuration-delay config))
+ (length (endlessh-configuration-length config))
+ (log-level (endlessh-configuration-log-level config))
+ (max-clients (endlessh-configuration-max-clients config))
+ (bind
+ ;; check if both are true (0), or only one of them is present
+ (if (not (and (equal? ipv4 ipv6) ipv4))
+ (if ipv4 4
+ (if ipv6 6
+ (throw 'endlessh-error
+ "bind-family must contain at least one value")))
+ 0)))
+ (mixed-text-file "endlessh.conf"
+ "# Generated by 'endlessh-config'.\n\n"
+ "Port " (number->string port) "\n"
+ "Delay " (number->string delay) "\n"
+ "MaxLineLength " (number->string length) "\n"
+ "MaxClients " (number->string max-clients) "\n"
+ "LogLevel " (number->string log-level) "\n"
+ "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+ (shepherd-service
+ (documentation "Run endlessh tarpit server.")
+ (provision '(endlessh))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append endlessh "/bin/endlessh")
+ "-f" #$(endlessh-config->conf config))))
+ (stop #~(make-kill-destructor))))
+
+(define endlessh-service-type
+ (service-type
+ (name 'endlessh)
+ (description "Run endlessh tarpit server.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list endlessh-shepherd-service))))
+ (default-value (endlessh-configuration))))
+
+
;;;
;;; WebSSH
--
2.37.3
M
M
Maxim Cournoyer wrote on 31 Aug 2023 19:37
Re: bug#39136: [PATCH] gnu: services: Add endlessh.
(name . Joshua Branson)(address . jbranso@dismail.de)
875y4u7h69.fsf_-_@gmail.com
Hello,

Joshua Branson <jbranso@dismail.de> writes:

Toggle quote (20 lines)
> Oleg Pykhalov <go.wigust@gmail.com> writes:
>
>> Hello,
>>
>> I failed to test endlessh with "services: containerized endlessh" patch
>> in a virtual machine. Unfortunately at the moment I'm not familiar with
>> ‘make-forkexec-constructor/container’ machinery, and have no idea about
>> that causing the issue of boot hang. Failed VM config in attachment.
>>
>>
>>
>>
>> I succeeded to test without "services: containerized endlessh". If wish
>> to fix a problem, ping me then you done. Otherwise I could push a
>> working version without containerization.
>
> Oh, I suppose that I will try to get containerization working on this
> service. I'd prefer to have it containerized, since it is running as
> root.

This was 2 years ago :-). Any update?

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 31 Aug 2023 19:37
control message for bug #39136
(address . control@debbugs.gnu.org)
874jke7h65.fsf@gmail.com
tags 39136 + moreinfo
quit
J
J
jbranso wrote on 1 Sep 2023 11:42
Re: bug#39136: [PATCH] gnu: services: Add endlessh.
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
8e02c5bdc649f9d24708090e1217125e@dismail.de
August 31, 2023 10:37 PM, "Maxim Cournoyer" <maxim.cournoyer@gmail.com> wrote:

Toggle quote (23 lines)
> Hello,
>
> Joshua Branson <jbranso@dismail.de> writes:
>
>> Oleg Pykhalov <go.wigust@gmail.com> writes:
>>
>>> Hello,
>>>
>>> I failed to test endlessh with "services: containerized endlessh" patch
>>> in a virtual machine. Unfortunately at the moment I'm not familiar with
>>> ‘make-forkexec-constructor/container’ machinery, and have no idea about
>>> that causing the issue of boot hang. Failed VM config in attachment.
>>>
>>> I succeeded to test without "services: containerized endlessh". If wish
>>> to fix a problem, ping me then you done. Otherwise I could push a
>>> working version without containerization.
>>
>> Oh, I suppose that I will try to get containerization working on this
>> service. I'd prefer to have it containerized, since it is running as
>> root.
>
> This was 2 years ago :-). Any update?

If you are ok with a non-containerized endlessh, then I can submit a patch
adding that. Endlessh works on guix system, but I was not able to get
the containerized version working.

Toggle quote (4 lines)
>
> --
> Thanks,
> Maxim
M
M
Maxim Cournoyer wrote on 2 Sep 2023 11:10
(address . jbranso@dismail.de)
87il8sxx88.fsf@gmail.com
Hello,

jbranso@dismail.de writes:

Toggle quote (29 lines)
> August 31, 2023 10:37 PM, "Maxim Cournoyer" <maxim.cournoyer@gmail.com> wrote:
>
>> Hello,
>>
>> Joshua Branson <jbranso@dismail.de> writes:
>>
>>> Oleg Pykhalov <go.wigust@gmail.com> writes:
>>>
>>>> Hello,
>>>>
>>>> I failed to test endlessh with "services: containerized endlessh" patch
>>>> in a virtual machine. Unfortunately at the moment I'm not familiar with
>>>> ‘make-forkexec-constructor/container’ machinery, and have no idea about
>>>> that causing the issue of boot hang. Failed VM config in attachment.
>>>>
>>>> I succeeded to test without "services: containerized endlessh". If wish
>>>> to fix a problem, ping me then you done. Otherwise I could push a
>>>> working version without containerization.
>>>
>>> Oh, I suppose that I will try to get containerization working on this
>>> service. I'd prefer to have it containerized, since it is running as
>>> root.
>>
>> This was 2 years ago :-). Any update?
>
> If you are ok with a non-containerized endlessh, then I can submit a patch
> adding that. Endlessh works on guix system, but I was not able to get
> the containerized version working.

If you could make a system test to go with it, that'd be super! We can
always refine later with regard to containerization.

--
Thanks,
Maxim
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 39136@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 39136
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch