#39136 [PATCH] gnu: services: Add endlessh.

Message #38 received at 39136@debbugs.gnu.org (full text, mbox, reply):

Received: (at 39136) by debbugs.gnu.org; 30 Sep 2022 17:03:37 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 30 13:03:37 2022
Received: from localhost ([127.0.0.1]:42820 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1oeJQG-00050i-EE
	for submit@debbugs.gnu.org; Fri, 30 Sep 2022 13:03:36 -0400
Received: from mx1.dismail.de ([78.46.223.134]:48344)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jbranso@dismail.de>) id 1oeJQA-00050R-8B
 for 39136@debbugs.gnu.org; Fri, 30 Sep 2022 13:03:34 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 81f45e3b;
 Fri, 30 Sep 2022 19:03:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc
 :subject:date:message-id:mime-version:content-type
 :content-transfer-encoding; s=20190914; bh=2bz8z2cvINgNOa7KNCOgw
 bW4BV4sOi/jRH/vioDDsYc=; b=hx7VO6l7enwCGsX7ckmvaM+Z8/M/IOdIaLMEE
 Eaacavg0lEOypdJ5cPk7q8C3yseiOj+wfTZIn88VxH72LUA5U5E7I1CUQP9T6U0V
 0iW1cMceAYkNZj2r5Xepbvn4SaV2ra/R2hV2aGCO9//6jiMh5JaQAgzt+KfJaOUZ
 /gfWxmZBR5bWRrhDpq38vu4eC3yH4+jvHwosQxWchTvqetErSkhyU/LfNQzmjfdY
 1BuAkKYls8cqCxR0l1Mi6iQ3htzX5BfH2zH4xNUBM7A/ssTA4a3xTwMI80s7Easp
 DxBGOmPmSOKoUwkCBN3Nj0dWiHdoeMqpJVS0r3BHDTNh0NHzg==
Received: from smtp1.dismail.de (<unknown> [10.240.26.11])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 4be987a2;
 Fri, 30 Sep 2022 19:03:23 +0200 (CEST)
Received: from smtp1.dismail.de (localhost [127.0.0.1])
 by smtp1.dismail.de (OpenSMTPD) with ESMTP id 9d81ceeb;
 Fri, 30 Sep 2022 19:03:23 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id 05cba35b
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Fri, 30 Sep 2022 19:03:22 +0200 (CEST)
From: Joshua Branson <jbranso@dismail.de>
To: 39136@debbugs.gnu.org
Subject: [PATCH] * gnu: endlessh: new service
Date: Fri, 30 Sep 2022 13:03:01 -0400
Message-Id: <20220930170301.21324-1-jbranso@dismail.de>
X-Mailer: git-send-email 2.37.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  From: Nicolò Balzarotti <nicolo@nixo.xyz> Here is an attempted
    merger of patch 1 and 2. I hope that it applies cleanly to master, but if
    it does not, please let me know! Thanks! 
 
 Content analysis details:   (1.3 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  2.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
                             [URI: nixo.xyz (xyz)]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
                             low trust
                             [78.46.223.134 listed in list.dnswl.org]
X-Debbugs-Envelope-To: 39136
Cc: ludo@gnu.org, Nicolò Balzarotti <nicolo@nixo.xyz>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

From: Nicolò Balzarotti <nicolo@nixo.xyz>

Here is an attempted merger of patch 1 and 2.  I hope that it applies
cleanly to master, but if it does not, please let me know!

Thanks!

Joshua

* gnu/services/ssh.scm: Add endlessh service
endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.

* doc/guix.texi: added documnetation for the endlessh service.
---
 doc/guix.texi        | 60 ++++++++++++++++++++++++++++++++++++
 gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 99f8ba6c54..9a1e2801dd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20393,6 +20393,66 @@ may cause undefined behaviour.
 @end table
 @end deftp
 
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} service, which is an ssh tarbit.  It delays ssh clients for
+days at a time by @emph{very slowly} sending a random and endless SSH
+banner.  The smart hacker will run endlessh on port 22, and let crackers
+get stuck in this tarpit.  This lets your real ssh server run more
+securely on a non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+  (endlessh-configuration
+    (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections.  Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item  0 = Quiet
+@item  1 = Standard, useful log messages
+@item  2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
 @cindex WebSSH
 @deffn {Scheme Variable} webssh-service-type
 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 72e7183590..2e547b63cd 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -58,6 +58,10 @@ (define-module (gnu services ssh)
             autossh-configuration?
             autossh-service-type
 
+            endlessh-configuration
+            endlessh-configuration?
+            endlessh-service-type
+
             webssh-configuration
             webssh-configuration?
             webssh-service-type
@@ -802,6 +806,75 @@ (define autossh-service-type
                              autossh-service-activation)))
    (default-value (autossh-configuration))))
 
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+  endlessh-configuration make-endlessh-configuration
+  endlessh-configuration?
+  ;; list of two symbols, allowed values are ipv4, ipv6 or both
+  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+  ;; integer
+  (delay endlessh-configuration-delay (default 10000))
+  ;; integer
+  ;; Must be in the range
+  (length endlessh-configuration-length (default 32))
+  ;; integer
+  (max-clients endlessh-configuration-max-clients (default 4096))
+  ;; integer
+  (port-number endlessh-configuration-port-number (default 2222))
+  ;; integer
+  ;; Allowed values are 0, 1 and 2
+  (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+  "Convert the CONFIG of type <endlessh-config> to a config file."
+  (let* ((family (endlessh-configuration-bind-family config))
+	 (ipv4 (member 'ipv4 family))
+	 (ipv6 (member 'ipv6 family))
+	 (port (endlessh-configuration-port-number config))
+	 (delay (endlessh-configuration-delay config))
+	 (length (endlessh-configuration-length config))
+	 (log-level (endlessh-configuration-log-level config))
+	 (max-clients (endlessh-configuration-max-clients config))
+	 (bind
+	  ;; check if both are true (0), or only one of them is present
+	  (if (not (and (equal? ipv4 ipv6) ipv4))
+	      (if ipv4 4
+		  (if ipv6 6
+		      (throw 'endlessh-error
+			     "bind-family must contain at least one value")))
+	      0)))
+    (mixed-text-file "endlessh.conf"
+		     "# Generated by 'endlessh-config'.\n\n"
+		     "Port " (number->string port) "\n"
+		     "Delay " (number->string delay) "\n"
+		     "MaxLineLength " (number->string length) "\n"
+		     "MaxClients " (number->string max-clients) "\n"
+		     "LogLevel " (number->string log-level) "\n"
+		     "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+  (shepherd-service
+   (documentation "Run endlessh tarpit server.")
+   (provision '(endlessh))
+   (start #~(make-forkexec-constructor
+	     (list #$(file-append endlessh "/bin/endlessh")
+		   "-f" #$(endlessh-config->conf config))))
+   (stop  #~(make-kill-destructor))))
+
+(define endlessh-service-type
+  (service-type
+   (name 'endlessh)
+   (description "Run endlessh tarpit server.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list endlessh-shepherd-service))))
+   (default-value (endlessh-configuration))))
+
+
 
 ;;;
 ;;; WebSSH
-- 
2.37.3

Send a report that this bug log contains spam.