#39136 [PATCH] gnu: services: Add endlessh.

Message #14 received at 39136@debbugs.gnu.org (full text, mbox, reply):

Received: (at 39136) by debbugs.gnu.org; 15 Mar 2021 16:30:45 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 15 12:30:45 2021
Received: from localhost ([127.0.0.1]:36593 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lLq7B-0008De-5E
	for submit@debbugs.gnu.org; Mon, 15 Mar 2021 12:30:45 -0400
Received: from mx1.dismail.de ([78.46.223.134]:14705)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jbranso@dismail.de>) id 1lLq76-0008D7-CA
 for 39136@debbugs.gnu.org; Mon, 15 Mar 2021 12:30:41 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 08a985c3
 for <39136@debbugs.gnu.org>; Mon, 15 Mar 2021 17:30:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc
 :subject:date:message-id:in-reply-to:references:mime-version
 :content-type:content-transfer-encoding; s=20190914; bh=ZWnA8cQE
 D15FcgVm4lkvQLCmzwjnpqoa8fb8XZivybU=; b=moGS8EXHaefYkXYle203v+5D
 pxSXz1VToRQeNsO4FIjgeKRcx/2UfTuJtzbKN1vTpJIm8LWkG89njMZAJTmmQg8X
 zyYXeWHE5PHlVhnS+RJ6NDWvOiKg2x8AKVnhIpO/L+/2LsfLyxEQ3Kx1u3c+Bmyf
 nTZiaTaTa/C1bjvL6AAqsuJTjmbjVDYW56q9ur3st3Xy/IjkLHijsmFNbqmww8w6
 UkiMr5J6K/bY7UISYUfvViTxZyvfCBBf2WLhVvcvpupoASZ/HPHcdRdYa2IvcEag
 O65NtaovmkR5ujaXTVjeS339kGvdujQs8QEJtXZtGXlZAJt2YnlIUGEO/jbp3Q==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 6c8dfcae
 for <39136@debbugs.gnu.org>; Mon, 15 Mar 2021 17:30:35 +0100 (CET)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
 by smtp2.dismail.de (OpenSMTPD) with ESMTP id 186989a5
 for <39136@debbugs.gnu.org>; Mon, 15 Mar 2021 17:30:35 +0100 (CET)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id 84cc5fa7
 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); 
 Mon, 15 Mar 2021 17:30:34 +0100 (CET)
From: Joshua Branson <jbranso@dismail.de>
To: 39136@debbugs.gnu.org
Subject: [PATCH 2/2] services: containerized endlessh
Date: Mon, 15 Mar 2021 12:29:49 -0400
Message-Id: <20210315162949.17092-2-jbranso@dismail.de>
X-Mailer: git-send-email 2.30.0
In-Reply-To: <20210315162949.17092-1-jbranso@dismail.de>
References: <20210315162949.17092-1-jbranso@dismail.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=y
Content-Transfer-Encoding: 8bit
X-Spam-Score: -0.3 (/)
X-Debbugs-Envelope-To: 39136
Cc: Joshua Branson <jbranso@dismail.de>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

doc: endlessh service documentation.

* doc/guix.texi (Networking Services): New endlessh-service-type section.

services: containerized endlessh

* gnu/services/ssh.scm (endlessh-config->conf): make-forkexec-contructor ->
make-forkexec-constructor/container. and attempted to enable logging to syslog.
  (define-record-type* <endlessh-configuration>)
  move default values of endlessh configuration to separate line.
  Add copyright line for Nicolo.
---
 doc/guix.texi        | 60 ++++++++++++++++++++++++++++++++++++++++++++
 gnu/services/ssh.scm | 35 ++++++++++++++++++--------
 2 files changed, 85 insertions(+), 10 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 464c1141d8..38807b3069 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17081,6 +17081,66 @@ may cause undefined behaviour.
 @end table
 @end deftp
 
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} program that delays ssh clients for days at a time by
+@emph{very slowly} sending a random and endless SSH banner.  The smart
+hacker will put endlessh running on port 22, and let crackers get stuck
+in this tarpit.  This lets your real ssh server run more securely on a
+non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+  (endlessh-configuration
+    (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections.  Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item  0 = Quiet
+@item  1 = Standard, useful log messages
+@item  2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
 @cindex WebSSH
 @deffn {Scheme Variable} webssh-service-type
 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index aad9bbc754..838655cf2c 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -6,6 +6,8 @@
 ;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2020 pinoaffe <pinoaffe@airmail.cc>
 ;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2020 Nicolò Balzarotti <nicolo@nixo.xyz>
+;;; Copyright @ 2021 Joshua Branson <jbranso@dismail.de>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -752,19 +754,25 @@ object."
   endlessh-configuration make-endlessh-configuration
   endlessh-configuration?
   ;; list of two symbols, allowed values are ipv4, ipv6 or both
-  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+  (bind-family endlessh-configuration-bind-family
+               (default '(ipv4 ipv6)))
   ;; integer
-  (delay endlessh-configuration-delay (default 10000))
+  (delay endlessh-configuration-delay
+         (default 10000))
   ;; integer
   ;; Must be in the range
-  (length endlessh-configuration-length (default 32))
+  (length endlessh-configuration-length
+          (default 32))
   ;; integer
-  (max-clients endlessh-configuration-max-clients (default 4096))
+  (max-clients endlessh-configuration-max-clients
+               (default 4096))
   ;; integer
-  (port-number endlessh-configuration-port-number (default 2222))
+  (port-number endlessh-configuration-port-number
+               (default 2222))
   ;; integer
   ;; Allowed values are 0, 1 and 2
-  (log-level endlessh-configuration-log-level (default 0)))
+  (log-level endlessh-configuration-log-level
+             (default 0)))
 
 (define (endlessh-config->conf config)
   "Convert the CONFIG of type <endlessh-config> to a config file."
@@ -797,15 +805,22 @@ object."
   (shepherd-service
    (documentation "Run endlessh tarpit server.")
    (provision '(endlessh))
-   (start #~(make-forkexec-constructor
-	     (list #$(file-append endlessh "/bin/endlessh")
-		   "-f" #$(endlessh-config->conf config))))
+   (start #~(make-forkexec-constructor/container
+	     `(list #$(file-append endlessh "/bin/endlessh")
+                    ,(if (positive? (endlessh-configuration-log-level config))
+                         "-s"
+                         "")
+		    "-f" #$(endlessh-config->conf config))))
    (stop  #~(make-kill-destructor))))
 
 (define endlessh-service-type
   (service-type
    (name 'endlessh)
-   (description "Run endlessh tarpit server.")
+   (description "Endlessh is an SSH tarpit that very slowly sends an endless,
+random SSH banner. It keeps SSH clients locked up for hours or even days at a
+time. The purpose is to put your real SSH server on another port and then let
+the script kiddies get stuck in this tarpit instead of bothering a real
+server.")
    (extensions
     (list (service-extension shepherd-root-service-type
                              (compose list endlessh-shepherd-service))))
-- 
2.30.0

Send a report that this bug log contains spam.