#39136 [PATCH] gnu: services: Add endlessh.

Message #41 received at 39136@debbugs.gnu.org (full text, mbox, reply):

Received: (at 39136) by debbugs.gnu.org; 30 Sep 2022 17:08:55 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 30 13:08:55 2022
Received: from localhost ([127.0.0.1]:42828 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1oeJVO-00058Y-ES
	for submit@debbugs.gnu.org; Fri, 30 Sep 2022 13:08:54 -0400
Received: from mx1.dismail.de ([78.46.223.134]:43699)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jbranso@dismail.de>) id 1oeJVM-00058E-4U
 for 39136@debbugs.gnu.org; Fri, 30 Sep 2022 13:08:52 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id b1bcbc06;
 Fri, 30 Sep 2022 19:08:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc
 :subject:date:message-id:mime-version:content-type
 :content-transfer-encoding; s=20190914; bh=6rExRGHV+rkNfS7vfCoI2
 Jkf0qPhceIpJni39TCgutA=; b=jcuzMmy3NBnzdjfepRP/pvdBJFUhdgp5OQ8w9
 K/2NxOO+cr7qGxn/1yMnneHxE4eQ89YDl14IHRDmEhGVxRs8G/dzBq1S0Nti1ODd
 yKXy56gU3yfuJR+T5Q2drxCG6eiEZWVK/VXtsXtl0P6svbWGYEhRB3NGmsxLkSI8
 qH+gypp73cq5iyuFJq1qxWwQgn6Of4J7RpcLh0gbriSCGlivqw8vkLNmYJ3n7u7W
 scoaF8qU8ZmlLBnbI6NUedIyZhiVupVaEBygskqvxCec/jUJg/56lLAbrOrK3dND
 QAkb9CC+RNMsGyi23G8rJQdafOLW7BN4oyvbjXxi9fIM8tWVw==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 74520a27;
 Fri, 30 Sep 2022 19:08:45 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
 by smtp2.dismail.de (OpenSMTPD) with ESMTP id fa4e56ec;
 Fri, 30 Sep 2022 19:08:45 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id 58f8398c
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Fri, 30 Sep 2022 19:08:44 +0200 (CEST)
From: Joshua Branson <jbranso@dismail.de>
To: 39136@debbugs.gnu.org
Subject: [PATCH] * gnu: endlessh: new service
Date: Fri, 30 Sep 2022 13:08:36 -0400
Message-Id: <20220930170836.26828-1-jbranso@dismail.de>
X-Mailer: git-send-email 2.37.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  From: Nicolò Balzarotti <nicolo@nixo.xyz> * gnu/services/ssh.scm:
    Add endlessh service endlessh-configuration>): New record type. (endlessh-config->conf,
    endlessh-shepherd-service, endlessh-service-type): New procedures. 
 
 Content analysis details:   (1.3 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
                             low trust
                             [78.46.223.134 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  2.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
                             [URI: nixo.xyz (xyz)]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Debbugs-Envelope-To: 39136
Cc: ludo@gnu.org, Nicolò Balzarotti <nicolo@nixo.xyz>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

From: Nicolò Balzarotti <nicolo@nixo.xyz>

* gnu/services/ssh.scm: Add endlessh service
endlessh-configuration>): New record type.
(endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures.

* doc/guix.texi: added documnetation for the endlessh service.
---
 doc/guix.texi        | 60 ++++++++++++++++++++++++++++++++++++
 gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 99f8ba6c54..9a1e2801dd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20393,6 +20393,66 @@ may cause undefined behaviour.
 @end table
 @end deftp
 
+@cindex Endlessh
+@deffn {Scheme Variable} endlessh-service-type
+This is the type for the @uref{https://github.com/skeeto/endlessh,
+Endlessh} service, which is an ssh tarbit.  It delays ssh clients for
+days at a time by @emph{very slowly} sending a random and endless SSH
+banner.  The smart hacker will run endlessh on port 22, and let crackers
+get stuck in this tarpit.  This lets your real ssh server run more
+securely on a non-standard port.
+
+For example:
+
+@lisp
+(service endlessh-service-type
+  (endlessh-configuration
+    (port-number 22)))
+@end lisp
+
+@end deffn
+
+@deftp {Data Type} endlessh-configuration
+Data type representing the configuration for @code{endlessh-service}.
+@table @asis
+@item @code{package} (default: @var{endlessh})
+@code{endlessh} package to use.
+
+@item @code{bind-family} (default: @code{'(ipv4 ipv6)})
+This specifies if endlessh should use ipv4 and/or ipv6.
+
+@item @code{delay} (default: @code{10000})
+The endless banner is sent one line at a time. This is the delay
+in milliseconds between individual lines.
+
+@item @code{length} (default: @code{32})
+The length of each line is randomized. This controls the maximum length
+of each line. Shorter lines may keep clients on for longer if they give
+up after a certain number of bytes.
+
+@item @code{max-clients} (default: @code{4096})
+Maximum number of connections to accept at a time. Connections beyond
+this are not immediately rejected, but will wait in the queue.
+
+@item @code{port-number} (default: @code{2222})
+The port on which to listen for new SSH connections.  Most users who
+want to use endlessh as intended should set this port number to
+@code{22}.
+
+@item @code{log-level} (default: @code{0})
+Set the detail level for the log.
+@table @asis
+@item  0 = Quiet
+@item  1 = Standard, useful log messages
+@item  2 = Very noisy debugging information
+@end table
+
+@item @code{syslog} (default: @code{#f})
+Print diagnostics to syslog instead of standard output
+
+@end table
+@end deftp
+
 @cindex WebSSH
 @deffn {Scheme Variable} webssh-service-type
 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 72e7183590..2e547b63cd 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -58,6 +58,10 @@ (define-module (gnu services ssh)
             autossh-configuration?
             autossh-service-type
 
+            endlessh-configuration
+            endlessh-configuration?
+            endlessh-service-type
+
             webssh-configuration
             webssh-configuration?
             webssh-service-type
@@ -802,6 +806,75 @@ (define autossh-service-type
                              autossh-service-activation)))
    (default-value (autossh-configuration))))
 
+
+;;;
+;;; Endlessh.
+;;;
+
+(define-record-type* <endlessh-configuration>
+  endlessh-configuration make-endlessh-configuration
+  endlessh-configuration?
+  ;; list of two symbols, allowed values are ipv4, ipv6 or both
+  (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
+  ;; integer
+  (delay endlessh-configuration-delay (default 10000))
+  ;; integer
+  ;; Must be in the range
+  (length endlessh-configuration-length (default 32))
+  ;; integer
+  (max-clients endlessh-configuration-max-clients (default 4096))
+  ;; integer
+  (port-number endlessh-configuration-port-number (default 2222))
+  ;; integer
+  ;; Allowed values are 0, 1 and 2
+  (log-level endlessh-configuration-log-level (default 0)))
+
+(define (endlessh-config->conf config)
+  "Convert the CONFIG of type <endlessh-config> to a config file."
+  (let* ((family (endlessh-configuration-bind-family config))
+	 (ipv4 (member 'ipv4 family))
+	 (ipv6 (member 'ipv6 family))
+	 (port (endlessh-configuration-port-number config))
+	 (delay (endlessh-configuration-delay config))
+	 (length (endlessh-configuration-length config))
+	 (log-level (endlessh-configuration-log-level config))
+	 (max-clients (endlessh-configuration-max-clients config))
+	 (bind
+	  ;; check if both are true (0), or only one of them is present
+	  (if (not (and (equal? ipv4 ipv6) ipv4))
+	      (if ipv4 4
+		  (if ipv6 6
+		      (throw 'endlessh-error
+			     "bind-family must contain at least one value")))
+	      0)))
+    (mixed-text-file "endlessh.conf"
+		     "# Generated by 'endlessh-config'.\n\n"
+		     "Port " (number->string port) "\n"
+		     "Delay " (number->string delay) "\n"
+		     "MaxLineLength " (number->string length) "\n"
+		     "MaxClients " (number->string max-clients) "\n"
+		     "LogLevel " (number->string log-level) "\n"
+		     "BindFamily " (number->string bind) "\n")))
+
+(define (endlessh-shepherd-service config)
+  (shepherd-service
+   (documentation "Run endlessh tarpit server.")
+   (provision '(endlessh))
+   (start #~(make-forkexec-constructor
+	     (list #$(file-append endlessh "/bin/endlessh")
+		   "-f" #$(endlessh-config->conf config))))
+   (stop  #~(make-kill-destructor))))
+
+(define endlessh-service-type
+  (service-type
+   (name 'endlessh)
+   (description "Run endlessh tarpit server.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list endlessh-shepherd-service))))
+   (default-value (endlessh-configuration))))
+
+
 
 ;;;
 ;;; WebSSH
-- 
2.37.3

Send a report that this bug log contains spam.